Facebook broke Canadian privacy law, joint probe finds

The latest damning assessment of Facebook’s trampling of user privacy comes from the Canada and British Columbia privacy commissioners — which have just published the results of an investigation kicked off in the wake of the Cambridge Analytica data misuse scandal last year.

They found the social network company committed serious contraventions of local laws and failed generally to take responsibility for protecting the personal information of Canadians.

Facebook has disputed the findings and refused to implement the watchdogs’ recommendations — including refusing to voluntarily submit to audits of its privacy policies and practices over the next five years.

The Office of the Privacy Commissioner of Canada (OPC) said it therefore plans to take Facebook to Federal Court to seek an order to force it the company to correct its deficient privacy practices.

Both watchdogs have also called for local privacy laws to be beefed up so that regulators have stronger sanctioning powers to protect the public’s interest.

“Facebook’s refusal to act responsibly is deeply troubling given the vast amount of sensitive personal information users have entrusted to this company,” said Daniel Therrien, privacy commissioner of Canada, in a statement. “Their privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection.

“The stark contradiction between Facebook’s public promises to mend its ways on privacy and its refusal to address the serious problems we’ve identified – or even acknowledge that it broke the law – is extremely concerning.”

“Facebook has spent more than a decade expressing contrition for its actions and avowing its commitment to people’s privacy. But when it comes to taking concrete actions needed to fix transgressions they demonstrate disregard,” added B.C. information and privacy commissioner, Michael McEvoy, in another supporting statement. “The ability to levy meaningful fines would be an important starting point.”

“It is untenable that organizations are allowed to reject my office’s legal findings as mere opinions,” added Therrien.

We’ve reached out to Facebook for comment. Update: A Facebook spokesperson has now emailed this statement:

After many months of good-faith cooperation and lengthy negotiations, we are disappointed that the OPC considers the issues raised in this report unresolved. There’s no evidence that Canadians’ data was shared with Cambridge Analytica, and we’ve made dramatic improvements to our platform to protect people’s personal information. We understand our responsibility to protect people’s personal information, which is why we’ve proactively taken important steps towards tackling a number of issues raised in the report and worked with the OPC to offer additional concrete measures we can take to address their recommendations, which includes offering to enter into a compliance agreement.

The company also points to changes it has made since the Cambridge Analytica saga snowballed into a major global scandal — saying it has limited the access developers on its platform have to Facebook login users’ data, as well as making changes to privacy and app settings to make them more visible and make it easier for users to revoke app permissions.

Another measure it has taken since the scandal is to launch a data abuse bounty program, offering rewards for people with first-hand knowledge and proof of apps that are abusing user data by collecting and transferring it to another entity to be sold, stolen or used for scams or political influence.

We’ve asked Facebook how many data abuse reports it’s received since launching the bounty program and how much has been paid out.

It also reiterates the historical audit of apps with access to large amounts of user data that it announced last year. This remains ongoing, and has been pretty quiet since last year — when Facebook said it had suspended around 200 apps out of an unspecified “thousands” reviewed.

As part of that review the company committed to telling users of any apps it bans for abuse. So we’ve also asked Facebook how many users have been informed that their data was previously abused by apps on its platform.

The Canadian and B.C. privacy watchdogs combined their efforts to investigate Facebook and Cambridge Analytica-linked data company Aggregate IQ last year — setting out to determine whether the companies had complied with local privacy laws.

More than 600,000 Canadians had their data extracted from Facebook via an app whose developer was working with Cambridge Analytica to try to build profiles of U.S. voters.

Among the privacy-related deficiencies the two watchdogs are attaching to Facebook’s business are what they dub “superficial and ineffective safeguards” of user data that enabled unauthorized access by third party apps on its platform; a failure to obtain meaningful consent for the use of users’ friends’ data; a lack of proper oversight of the privacy practices of apps using Facebook’s platform, with a reliance on contractual terms and “wholly inadequate” monitoring of compliance.

All familiar stuff if you were following the twists and turns of the Cambridge Analytica data misuse saga last year. (Aleksandr Kogan, the third party app developer at the centre of the Cambridge Analytica data misuse scandal also accused Facebook of not having a valid developer policy.)

The full report can be found here.

“A basic principle of privacy laws is that organizations are responsible for the personal information under their control. Instead, Facebook attempted to shift responsibility for protecting personal information to the apps on its platform, as well as to users themselves,” the watchdogs write, further accusing Facebook of an overall lack of responsibility for the personal data of users.

They also point out that their findings are of particular concern given an earlier 2009 investigation of Facebook by the federal commissioner’s office — which found similar contraventions with respect to Facebook seeking overly broad, uninformed consent for disclosures of personal information to third-party apps, as well as inadequate monitoring to protect against unauthorized data access by apps.

“If Facebook had implemented the 2009 investigation’s recommendations meaningfully, the risk of unauthorized access and use of Canadians’ personal information by third party apps could have been avoided or significantly mitigated,” they add.

(Oh hai, deja vu… )

The commissioners are calling for not only the power to levy financial penalties on companies that break privacy laws — as equivalent watchdogs in Europe already can — but also broader authority to inspect the practices of organizations to independently confirm privacy laws are being respected.

“This measure would be in alignment with the powers that exist in the U.K. and several other countries,” they note.

“Giving the federal Commissioner order-making powers would also ensure that his findings and remedial measures are binding on organizations that refuse to comply with the law,” they add.

The UK’s data protection watchdog levied the maximum possible fine on Facebook last year — although it’s ‘just’ £500,000 and Facebook is appealing, claiming there’s no evidence that UK users’ data was misused.

Facebook is also now making the same claim for Canadian users’ data that ended up in the Cambridge Anaytica dataset — which is presumably where its legal argument will focus when the litigation reaches federal court in Canada.

However EU data protection law, at least, places heavy emphasis on data controllers’ responsibility to safeguard data. So the fact of data being breached, regardless of whether or not individuals’ information was misused, can still mean laws have been broken — and penalties are due.

An updated pan-EU privacy framework, GDPR, which came into force after the Cambridge Analytica-related data misuse occurred, has also massively upgraded the maximum possible fines that European data watchdogs can hand down for privacy violations.

And the Irish DPC, the lead privacy regulator for Facebook’s European business, has a very long list of open probes against Facebook and Facebook-owned platforms — adding yet another today, into a security facepalm that Facebook disclosed last month, admitting it had managed to store hundreds of millions of user passwords in plain text format on its internal servers without apparently noticing until January. So, er, watch that space.

Earlier this year a U.K. parliamentary committee which spend multiple months last year investigating Facebook and Cambridge Analytica, as part of a wider inquiry into online disinformation, called for Facebook’s use of user data to be investigated by the privacy watchdog.

The committee also urged the UK’s Competition and Markets Authority to undertake an antitrust probe Facebook’s business practices, and recommended that the social media ad market face a comprehensive audit to address concerns about its lack of transparency.

This report was updated with comment from Facebook