CRTC considers iOptOut a legitimate telemarketing In This

In This Issue:

CRTC considers iOptOut a legitimate telemarketing opt-out method: Privacy Commissioner’s Office uncovers a conundrum regarding its use Murray Long............................................. 117

Identity Theft and Technology — How Bill C-27 Responds Howard Simkevitz ........................................122

Facebook: Under PIPEDA Scrutiny Lisa Feinberg ................................................125

Volume 5 • Number 11 September 2008

CRTC considers iOptOut a legitimate telemarketing opt-out method: Privacy Commissioner’s Office uncovers a conundrum regarding its use

With the launch of Canada’s National Do-Not-Call List (“DNCL”) just around the corner (starting officially on September 30, 2008), a new privacy controversy involving an independently offered opt-out service has also just emerged.

The Chairman of the CRTC recently stated in letters to the Canadian Marketing Association (“CMA”) and Canadian Bankers Association (“CBA”) that telemarketers must comply with consumer requests to opt-out of telemarketing solicitations received via a third-party iOptOut service started by Professor Michael Geist.1 Both the CMA and CBA had strongly opposed the legitimacy of this service, stressing their members should only have to accept opt-out requests coming from the official DNCL, not a third party.

In a follow-up letter, Assistant Privacy Commissioner Elizabeth Denham stated that telemarketers could also contravene the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”) in some circumstances in collecting the names and phone numbers of people who use the iOptOut service.2 This article explains how this privacy conundrum arises and what solutions might be considered.

The history of Canada’s long awaited DNCL is that the federal government, recognizing the enormous public response to a similar U.S. service launched by the Federal Trade Commission in 2003, amended the Telecommunications Act, S.C. 1993, c. 38, in 2006 to give the CRTC the powers to establish and oversee such a service in Canada.3

Murray Long

Editor, PrivacyScan Ottawa

…an opt-in approach would vir-

tually destroy direct customer

marketing…

CANADIAN PRIVACY LAW REVIEW • Volume 5 • Number 11

118

In doing so, Parliament saw fit to exempt registered charities, political candidates and political parties, public opinion surveys, solicitations for general circulation newspapers, and any unsolicited telemarketing calls where the organization has an existing business relationship with the called party, based on any purchase, lease or rental of products within the preceding 18-month period and any inquiry or application concerning the above within the preceding six-month period.4

At the same time, the amendments did specify that, other than public survey companies, organizations that were exempted from the DNCL were required to maintain their own do-not-call lists.

Given the extent of opt-out that was built into the DNCL, University of Ottawa Law Professor Michael Geist publicly suggested the DNCL be renamed the “Do Not Hesitate to Call” List.5

Because of his concern that exempted organizations are permitted to continue making unsolicited marketing calls despite the inclusion of an individual’s phone number in the DNCL (the consumer must specifically request to be put on the exempted organization’s own do-not-call list), in March 2008 Professor Geist started his own opt-out web site (iOptOut.ca).

In doing so, he provided an opportunity for consumers to more easily opt-out online from a wide range of exempted organizations with a few clicks of a mouse. An explanation of how iOptOut works states that:

When you register with iOptOut you create a personal list of organizations that you wish to opt-out from further marketing. You provide your name, tele-phone number(s) and email address(es) and we send a message to each or-ganization, on your behalf, asking that they remove you from their active marketing or polling lists. You could send a message to each organization yourself individually, but there are hundreds and the appropriate contact in-formation is often difficult to obtain. iOptOut allows you to do this in bulk, opting out of dozens of organizations with a few clicks.

The website adds that when organizations receive the requests, “they are obliged by Canadian privacy law to fulfill them”.

The list of organizations where users can selectively or collectively (with one click) opt-out of receiving telemarketing calls included as of August four retailers, 27 public research companies, all national and some provincial political parties, dozens of daily newspapers, nine communications companies including Bell, Telus, Rogers and Videotron, 18 charities, seven banks and three airlines.

Canadian Privacy Law Review

The Canadian Privacy Law Review is published monthly by LexisNexis Canada Inc., 123 Commerce Valley Drive East, Suite 700, Markham, Ont., L3T 7W8, and is available by subscription only.

Web site: www.lexisnexis.ca Design and compilation © LexisNexis Canada Inc. 2008. Unless otherwise stated, copyright in individual articles rests with the contributors.

ISBN 0-433-44417-7 ISSN 1708-5446 ISBN 0-433-44418-5 (print & PDF) ISBN 0-433-44650-1 (PDF) ISSN 1708-5454 (PDF)

Subscription rates: $190.00 plus GST (print or PDF)

$299.00 plus GST (print & PDF)

Editor-in-Chief:

Professor Michael A. Geist Canada Research Chair in Internet and

E-Commerce Law University of Ottawa, Faculty of Law

E-mail: [email protected]

LexisNexis Editor:

Boris Roginsky LexisNexis Canada Inc. Tel.: (905) 479-2665 ext. 308 Fax: (905) 479-2826 E-mail: [email protected]

Advisory Board:

• Ann Cavoukian, Information and Privacy Commissioner of Ontario, Toronto

• David Flaherty, Privacy Consultant, Victoria • Elizabeth Judge, University of Ottawa • Christopher Kuner, Hunton & Williams,

Brussels • Suzanne Morin, Bell Canada, Ottawa • Bill Munson, Information Technology

Association of Canada, Toronto • Stephanie Perrin, Service Canada, Integrity

Risk Management and Operations, Gatineau • Patricia Wilson, Osler, Hoskin & Harcourt LLP,

Ottawa

Note: This Review solicits manuscripts for consideration by the Editor-in-Chief, who reserves the right to reject any manuscript or to publish it in revised form. The articles included in the Canadian Privacy Law Review reflect the views of the individual authors and do not necessarily reflect the views of the advisory board members. This Review is not intended to provide legal or other professional advice and readers should not act on the information contained in this Review without seeking specific independent advice on the particular matters with which they are concerned.


•119

In a May 2008 interview with Nymity News, Professor Geist said that tens of thousands of Canadians had already taken advantage of the site. He confirmed for this article that about 45,000 people have used the service, generating close to 5.4 million individual opt-outs of organizations.

A community portal on the site heaps praise on the initiative, but some posts point out that this initiative does not address a perceived underlying flaw in the whole Do-Not-Call initiative — that it is based on an opt-out, not a more privacy protective opt-in model.

While this particular complaint will never be addressed as an opt-in approach would virtually destroy direct customer marketing, two other posts raise important issues that do need addressing: the lack of a secure portal for transmitting personal information to iOptOut and the fact that use of the site creates a true privacy conundrum. As one post states:

Why on earth would privacy-seeking people want to proactively submit their personal information (name,address, telephone number, email address) to dozens, if not hundreds, of Canadian organizations — most of whom they have no prior established business relationship with — together with the instruction that they not use that PII??!!

These concerns were echoed in an April 21, 2008 letter to Privacy Commissioner Jennifer Stoddart from John Gustavson, President of the CMA.6 The letter was copied to Konrad von Finkenstein, Chairman of the CRTC. The CBA sent a similar letter on May 12. Mr. Gustavson wrote:

There are a number of very serious practical and privacy concerns about iOptOut.ca, mainly stemming from the fact that the initia-tive departs from the model of a centrally managed database. In-stead, it is based on the concept that all organizations should maintain enormous databases of personal information, irrespec-tive of whether the organization has any relationship with the listed consumers, has ever marketed to them, would ever plan to market to them, or indeed whether the organization even en-gages in marketing by telephone. This model was explored in connection with CRTC Decision 2004-35, and ultimately rejected in favour of the NDNCL that the Canadian Radio-television and Telecommunications Commission will have up and running later this fall.

The letter adds that:

The model whereby organizations would accept large lists of per-sonal contact information from an unaccredited third party ser-vice such as iOptOut.ca would be incredibly inefficient, an unwarranted burden on tens of thousands of businesses and

charities and a potential privacy risk to those who sign up to have their information emailed to potentially thousands of destina-tions. Furthermore, if any unaccredited third party online or elsewhere can set themselves up as collectors/forwarders of per-sonal information and opt-out requests, we are opening the door for unscrupulous operators that may collect personal information for illegal purposes such as identity theft.

The letter warns the Privacy Commissioner that there do not appear to be any security protocols to stop hackers from penetrating the site and entering or collecting consumer records, and there is no process to validate the do-not-call requests or to monitor the request stream, thus increasing the potential of fraudulent entries.

Mr. Gustavson suggested the service may also violate PIPEDA as it relates to the transfer of personal information.

Finally, from a marketing perspective, he adds that the site confers a definite competitive advantage for those organizations that have not been listed or targeted by iOptOut.ca.

On June 27, the CRTC Chairman responded to the CMA and CBA letters7, stating that:

With regard to the means by which a do not call request may be made, I would note that there is no prohibition on consumers making such a request through a third party. In Decision 2007-48 the Commission determined that registrations and de-registrations on the National DNCL may be done by a person who has the authority to act on a subscriber's behalf.

The Chairman’s letters add that the CRTC had considered the fact that some consumers may be incapable of registering on the DNCL “or may find it more convenient to grant another person the authority to register a telecommunications number on their behalf”.8

As a result, the letters state that the CRTC has “not placed any specific restrictions on how a consumer may grant authority to another person or on the nature of a consumer's relationship with that person (e.g. by requiring that that person be a family member or a person with power of attorney)”.9

The letters note that, in Telecom Decision 2007-48, the Commission had considered that it would be difficult to confirm that all registrations on the DNCL have been made by either the subscriber of a telecommunications number or a person with the authority to register on behalf of the subscriber.


120

However, in addressing this concern, the Commission considered that there is “limited incentive, if any, to falsely register a telecommunications number on the National DNCL”.10 As a result, there are no authentication requirements for registration either by a subscriber or a person authorized by a subscriber.

The letters also point out that neither the Unsolicited Telecommunications Rules nor the Telecommunications Act requires a consumer to have received a telemarketing telecommunication from an organization before the consumer can make a do-not-call request to that organization. Similarly, a consumer can make a do-not-call request even where there is no existing business relationship.

There are also no restrictions on the time, place, or method by which a do-not-call request can be made. However, any such do-not-call request must become effective within 31 days of the request having been made, regardless of the method.

Chairman von Finkenstein states: “On the basis of the facts as I understand them and have set out above, I consider that do-not-call requests made through iOptOut are valid and should be honoured.”11

He suggested any CMA or CBA concerns about anti-competitive or criminal conduct by third parties could best be addressed by competition law or through the Criminal Code, R.S.C. 1985, c. C-46, while the privacy concerns raised could best be addressed by the Privacy Commissioner.

Finally, he encouraged both associations to work with Mr. Geist to resolve any technical or operational issues their members may have regarding the iOptOut service.

Subsequently, on July 28, Assistant Privacy Commissioner Elizabeth Denham responded by letter to the CMA, CBA, Michael Geist and the CRTC Chairman clarifying the Office of the Privacy Commissioner (OPC) position on iOptOut.

The key points of her letter are that the OPC considers that the DNCL will not have any impact on the application of PIPEDA to unsolicited telephone calls.

In order for PIPEDA’s consent requirements to apply to unsolicited calls, two conditions have to be met: the organization must be using personal information as defined in PIPEDA that requires consent; and it must be

engaged in a commercial activity within the meaning of s. 4 of the Act.

PIPEDA does not apply to many of the calls that are covered by the DNCL rules. For example, it does not apply to "cold calls" made to numbers listed in the white pages since white pages directories contain personal information that is considered to be publicly available under PIPEDA. The Act also does not apply to calls from charities, and political parties/candidates seeking support as they would typically not trigger the commercial activity requirement.

Moreover, depending on where the recipient lives and the location of the organization making the call, calls may fall under the jurisdiction of a province where a substantially similar provincial law might apply [the treatment of personal information used by charities and other not-for-profit organizations varies depending upon which provincial law it is subject to].

PIPEDA would, however, apply to calls to existing customers offering new products or services, assuming these calls are based on use of personal information in addition to white pages directory information.

Similarly, market research calls on behalf of an organization that holds personal information about the individual (e.g., calls to customers of a bank asking about their satisfaction with the service) would be subject to PIPEDA. As well, the collection, use or disclosure of unlisted numbers, which are not considered to be publicly available, is subject to all of the provisions in PIPEDA.

The letter adds that the OPC is supportive of the DNCL program “because it will give individuals more control over the use of their personal information. As well, it will apply to some calls that are not subject to PIPEDA, particularly calls based on publicly available white page information”.12

The OPC views on iOptOut and the privacy conundrum for organizations receiving opt-out requests

Specific to Professor Geist’s iOptOut initiative, the letter states13 [emphasis added]:

Our understanding is that the iOptOut program was designed to address some of the perceived gaps in the national DNCL pro-gram that was created with the passage of Bill C-37. Registered charities, political parties, opinion-polling firms, general subscrip-


•121

tion newspapers and organizations that have pre-existing busi-ness relationships with individuals are exempt from the DNCL rules; however, with the exception of survey firms, these organiza-tions are required to maintain their own internal do-not-call lists. Our Office along with most of our provincial and territorial coun-terparts questioned the exemptions that were added to Bill C-37 at the Committee stage.

Industry associations and some businesses have expressed a number of concerns about the iOptOut Program. These concerns appear to relate primarily to the security of the information on the iOptOut web site, the ability of the organization receiving the requests to authenticate the person making the request, the amount of information being provided, and the way in which this information is transmitted.

With respect to security, our understanding is that measures have been put in place with respect to the site itself and the for-matting of the information. Industry has indicated that it remains concerned about the transfer of personal information. Our un-derstanding is that the information is not encrypted when it is transferred to the organization and that the e-mail requests are often sent to the incorrect person within the organization.

The iOptOut service does not appear to be engaged in a com-mercial activity, and is therefore not subject to PIPEDA. Never-theless, by way of this letter, I am encouraging iOptOut to explore ways to better protect the personal information during transmittal. I would also encourage both iOptOut and organiza-tions to work together to ensure that it finds the correct person within organizations to send the opt-out requests to.

It is suggested that when iOptOut transfers personal information to organizations, the organization may be placed in a situation where it is forced to collect and use more information than it re-quires. It may in some cases be collecting the personal informa-tion of individuals who are not customers and may never be customers. Although these people have consented to such the [sic] disclosure and subsequent collection, the organization can-not be said to be limiting its collection of personal information. I acknowledge that could be a privacy issue. Organizations will need to assess whether the receipt of requests via iOptOut from individuals requesting to have their names removed from calling lists places the organizations in breach of PIPEDA.

With respect to potential complaints from individuals alleging a misuse of their personal information after they have asked not to be contacted through the iOptOut process, as outlined earlier PIPEDA does not apply to many types of unsolicited calls. We also do not have authority to take a complaint where the call was made to an individual within a province that has substantially similar legislation, unless the organization is a federal work, un-dertaking or business.

In the event that we received a complaint over which we had ju-risdiction, we would urge the complainant to try to resolve the matter with the organization in question. As well, we may en-

courage individuals to contact the complaint body that will be set up as part of the DNCL on the grounds that it will be better suited to deal with complaints about unsolicited calls.

With this response, the OPC has made it clear that little help in resolving some of the issues raised by the CMA and CBA is likely to come from its office.

At the same time, a new privacy burden has been placed on businesses via Professor Geist’s site to figure out if they should or should not be collecting subscriber opt-out requests, in cases where the individuals are not current customers of the organization.

Thus the user convenience of the “one click gets all marketers” approach on the iOptOut web site may be a real sticking point.

Wally Hill, Vice-President, Public Affairs and Communications at the CMA, has told the author that the CMA is very interested in meeting with Michael Geist to sort out how to address the concerns raised by the OPC and also by his organization.

Whatever the outcome of such meetings, it is clear from the CRTC position that organizations will be forced to accept opt-out requests from third party websites such as iOptOut and that, whatever conundrums arise, this is a victory for consumer interests.

At the same time, the concerns of marketers are quite legitimate ones.

In fact, the last word on this topic (for now) should go to CBA spokesperson Maura Drew-Lytle who told CBC news that criminals and competitors could also abuse the process by setting up their own websites to either eliminate customers’ details from rivals, or acquire their personal information.

As she stated: “It’s difficult for [banks] to amend that profile unless they’re sure it’s that person who is actually making the request ... You could have a competitor go through the phone book and download all sorts of names to go on your list just so you can’t market to those people anymore.”14

Editor’s note: Murray Long is an Ottawa-based privacy consultant and an acknowledged Canadian expert on PIPEDA. He is the editor/publisher of PrivacyScan, a privacy law resource for businesses, and he can be reached at <[email protected]>


122

1 Letters from CRTC Chairman Konrad von Finkenstein to the

CMA and CBA, June 27, 2008. Copies obtained by the author. 2 Letter from Assistant Privacy Commissioner Elizabeth Denham to

the CMA, CBA, Michael Geist and the CRTC Chairman clarifying the OPC position on iOptOut, July 28, 2008. Copy obtained by the author.

3 2005, c. 50, s. 1. 4 For a detailed explanation of what constitutes an “existing busi-

ness relationship” for the purposes of the DNCL, see paragraphs 200 to 210 of Telecom Decision CRTC 2007-48. These para-graphs provide the CRTC’s analysis and determinations of how such relationships will be defined. http://www.crtc.gc.ca/archive/ENG/Decisions/2007/dt2007-48.htm

5 Mr. Geist first coined this phrase in a column in the Toronto Star

on September 12, 2005. 6 Letter from CMA President John Gustavson to Privacy Commis-

sioner Jennifer Stoddart on April 21, 2008. Copy obtained by the author.

7 von Finkenstein, supra, note 1. 8 Ibid. 9 Ibid. 10 Ibid. 11 Ibid. 12 Denham, supra, note 2. 13 Ibid. 14 Peter Nowak, Telemarketers rebuked by CRTC over do-not-call

objections, CBC News, August 5, 2008.

Identity Theft and Technology — How Bill C-27 Responds

The methodologies of committing crimes in cyberspace are different from their counterparts in real space. The importance of addressing this difference becomes more pronounced in light of society’s increasing reliance on information and technology infrastructure. As such, legislators must duly account for the use of technology as an integral piece of sound legislative initiatives. It can no longer be a case of using old laws to adapt to new technology.

Identity theft provides an excellent example of the impact technology has had on crime. Reports of identity theft run rampant in the popular press. However, the Criminal Code,1 as currently written, does not contain a specific identity theft offence. In fact, most of the provisions attempting to address identity theft are fraud provisions that predate the advent of the Internet save for offences dealing with credit and debit cards,2 and “[u]nauthorized use of computer”.3 This latter section is useful insofar as

it can be used to capture fraudulent use of identity information over the Internet. The section reads as follows:

342.1(1) Every one who, fraudulently and without colour of right,

(a) obtains, directly or indirectly, any computer service,

(b) by means of an electro-magnetic, acoustic, me-chanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system,

(c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or an offence under section 430 in relation to data or a computer system, or

(d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c) …4

is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years or is guilty of an offence punishable on summary conviction.

The effectiveness of the Code provisions regarding unauthorized use of a computer and fraudulent use of credit or debit cards is limited. For example, although it is illegal to fraudulently use personal information, there is nothing to address the unauthorized collection, possession or trafficking of such personal information. Seemingly, policy makers have caught on (or have been impelled to catch on) that there is a need to close such legislative gaps. In short, not only is Canada lacking a clear definition of the crime (i.e., identity theft), but law

Howard Simkevitz

Associate Information Technology and Privacy Groups Lang Michener LLP


•123

enforcement lacks the ability to intervene until, more often than not, it is too late.

Bill C-27

Bill C-27 had its second reading on January 30 of this year and is now in committee.5 One may assume that the Bill is in a reasonable position to pass through the House of Commons expeditiously for at least two reasons: (1) the Bill has not received any significant opposition in either of its readings thus far; and (2) there seems to be recognition by most members of Parliament that something needs to be done to contend with identity theft.

The general purpose of the Bill is to create three new offences:

1. obtaining or possessing identity information with the intent to use it to commit certain crimes;6

2. trafficking in identity information with knowledge of or recklessness as to its intended use in the commission of such crimes;7 and

3. possessing and trafficking certain government-issued identity documents belonging to another person — expanding the relevant documents from passports to include Social Insurance Numbers, drivers’ licenses, birth certificates, and a number of other identity papers.8

Furthermore, and importantly, the Bill introduces the concept of restitution for the victim.

What It Does

The Bill’s proposed amendments are laudable in three ways. First and foremost, by criminalizing the foregoing, the Bill gives law enforcement the ability to intervene at the stage of possession and trafficking — before fraud has actually been committed.

Second, the Bill is forward thinking and tries to anticipate the use of technology and not shy away from it. For example, the Bill does a good job of capturing the various technical manifestations of identity, including biometrics which will undoubtedly be a significant source of identity theft in future years. The anticipatory nature of the Bill becomes evident when looking at the very definition of “identity information” in the s. 402.1 of the Code:

For the purposes of sections 402.2 and 403, “identity infor-mation” means any information — including biological or physiological information — of a type that is commonly used alone or in combination with other information to identify or purport to identify an individual, such as a fingerprint, voice print, retina image, iris image, DNA profile, name, address, date of birth, written signature, electronic signature, digital signature, user name, credit card number, debit card num-ber, financial institution account number, passport number, Social Insurance Number, health insurance number, driver’s licence number or password.9

Although more restrictive than the definition of “personal information” in the Personal Information Protection and Electronic Documents Act,10 the list in section 402.1 is non-exhaustive, so it does leave room for other incarnations of identity-information, as technology inevitably evolves.

Third, the Bill appears to recognize the power of market forces in assisting in regulating the prescribed conduct. As mentioned above, in addition to jail time for fraudulent acts, identity thieves will now be facing the possibility of having to reimburse their victims for costs incurred as a result of the fraud (e.g. the price of rehabilitating one’s identity, replacing cards and documents, and correcting one’s credit history).11

This notion of restitution becomes increasingly relevant in the scenario where the accused is an employee of a company. Although the focus of this article is not one of corporate liability, it is important to note that this concept can be found in the present Code. Criminal intent may become attributable to an organization where: (i) the organization benefits, to some degree, from the offence; and (ii) a senior officer is a party, or where a senior officer has knowledge of the commission of the offence by other members of the organization and fails to take all reasonable steps to prevent or stop the commission of the offence.12 However, such a finding requires that there is a threshold of reasonableness by which criminal intent can be imputed.

Section 402.2 of the Bill states:

(1) Everyone commits an offence who knowingly obtains or pos-sesses another person’s identity information in circumstances giving rise to a reasonable inference that the information is in-tended to be used to commit an indictable offence that in-cludes fraud, deceit or falsehood as an element of the offence.

(2) Everyone commits an offence who transmits, makes available, distributes, sells or offers for sale another person’s identity in-formation, or has it in their possession for any of those pur-


124

poses, knowing or believing that or being reckless as to whether the information will be used to commit an indict-able offence that includes fraud, deceit or falsehood as an element of the offence.13

Issues

Two issues come to the fore: (1) what are the circumstances that would give rise to a “reasonable” inference that the information is intended for fraud; and (2) how is one to determine that a person was “reckless” as to whether such information could be used for fraud. The standard(s) by which one could impute reasonableness and recklessness in the realm of identity theft is/are less than clear.

When one talks about identity theft, whether one uses the term identity information or, more broadly, the term personal information, these are distinct privacy-related terms. To date, there are standards for security only — there are no equivalents for privacy. Thus, without clear standards related to privacy, it may make it difficult for companies to mitigate against risk — to assess what is reasonable and what is reckless.

Until a comprehensive set of standards are developed in this area, it may be helpful to look to the following for guidance: (i) industry standards and best practices; (ii) Privacy Commissioners, specifically orders they render which include promulgation of standards;14 (iii) relevant legislation15 (e.g., privacy acts such as PIPEDA); and (iv) jurisprudence in the area.16

The Bill comes at time when there is increased support for the notion that something must be done to combat identity theft. However, the Bill may not represent the panacea, and stakeholders should recognize that there is still a need to develop a comprehensive framework for contending with identity theft.17 Privacy standards would be an invaluable addition to the mix. Furthermore, public awareness about how individuals and organizations should handle identity information would also go a long way to ensure the Bill succeeds.

Editor’s note: Howard Simkevitz is an associate in the Information Technology and Privacy Groups in Toronto. Contact him directly at 416-307-4094 or [email protected].

The above article has also appeared in the Ontario Bar Association’s Eye on Privacy: Privacy Law Section Review.

1 R.S.C. 1985, c. C-46. 2 Ibid., s. 342. 3 Ibid., s. 342.1(1). 4 Ibid., s. 342.1(1); and see the definition of computer system is

found in s. 342.1(2) captures Internet activity as follows: “computer system” means a device that, or a group of intercon-

nected or related devices one or more of which, (a) contains computer programs or other data, and (b) pursuant to computer programs, (i) performs logic and control, and (ii) may perform any other function. 5 Bill C-27, An Act to amend the Criminal Code (Identity Theft and

Related Misconduct) 2nd Sess., 39th Parl., 2007. 6 Ibid., s. 10. 7 Ibid. 8 Ibid., s. 1. 9 Supra, note 6. 10 S.C. 2000, c. 5. Compare the definition of “Personal information”

in PIPEDA which includes any information about an identifiable individual as opposed to that of “identity information” in the Bill which must “identify or purport to identify” an individual.

11 Supra, note 6. 12 See ss. 22.1 and 22.2 of the Code. 13 Supra, note 6 [emphasis added]. 14 See e.g. information Order H0-004 wherein the Commissioner

stated: “[t]o the extent that PHI in identifiable form must be re-moved in electronic form, it must be encrypted” at 18.

15 See Canada v. Saskatchewan Wheat Pool, [1983] S.C.J. No. 14 (QL), [1983] 1 S.C.R. 205 wherein the SCC stated that although there was no nominate tort of “statutory breach” it acknowledged that the breach of statute may imply a standard of care.

16 Although there is a dearth of case law on point in Canada (part of the reason being, of course, that no tort for breach of privacy currently exists), there may be persuasive extra-jurisdictional cases. See, e.g., Randi A.J. (Anonymous) v. Long Island Surgi-Center, No. 2005-04976 (N.Y. Sup. Ct. App. Div. Sept. 25, 2007), where the court found that no written privacy plan, not following relevant legislation, and insufficient staff training, were, among other factors, sufficient for finding “negligence or recklessness” with regard to the mishandling of personal information.

17 See, e.g., the Canadian Bankers Association, Identity Theft: A Prevention Policy is Needed, (Jan. 2005); http://www.cba.ca/en/content/reports/Identity%20Theft%20-

%20A%20Prevention%20Policy%20is%20Needed%20ENG.pdf


•125

Facebook: Under PIPEDA Scrutiny

Introduction

Over seven million Canadians1 have signed up for the social networking site Facebook. Facebook offers its users tools to share information with the people “who work, study, and live around them”.2 In an interview with Time magazine, Facebook founder Mark Zuckerberg explained that Facebook seeks to be a “model” for “real connections in the world”.3 To best model these “real” connections, Facebook purports to offer its users a high level of control4 over their information. It is this promise of control that places Facebook outside traditional notions of public and private spaces.5 This social networking model has appealed to many Canadians. But in the great rush to reap the benefits of Facebook, including relationship and community building,6 grassroots advocacy,7 identity exploration8 and artistic development,9 Canadians have exposed themselves to privacy threats. In this respect, Facebook must comply with the requirements set out by Canada’s federal legislation governing the private sector, the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”).10

As part of an internship for the Canadian Internet Policy and Public Interest Clinic (“CIPPIC”), we, a team of law students led by Director Philippa Lawson, some of whom are avid Facebook users, sought to determine whether Facebook was meeting PIPEDA requirements to protect Canadians from privacy threats. We chose to examine Facebook’s practices due to its popularity in Canada; other social networking sites are also suspect. After assessing Facebook’s policies and practices, we found what appeared to be 22 violations of PIPEDA. We have lodged a complaint with the Privacy Commissioner of

Canada detailing our findings. The commissioner has one year to report her findings and recommendations to Facebook. In this article, I will begin by briefly explaining what Facebook is. I will then describe some of Facebook’s apparent violations of PIPEDA involving social networking, advertising, and third party applications.11 Next, I will examine these violations in light of the way that Facebook is promoting itself. Finally, I will briefly detail the implications of these breaches for the Facebook and broader community.

What is Facebook?

Facebook is a free web-based social networking site founded in 2004 by Mark Zuckerberg. It is self-described as a “social utility that connects people with friends and others who work, study and live around them”. 12 To begin, users create Profiles13 that include their names, birthdays, sexual orientation, political beliefs, favourite music, art, and movies, religion and so forth. Facebook requires in its Terms of Use that users do not enter false information in their Profiles. Users add Friends with whom they have connections. These connections can be based on common interests, experience, and hobbies or on “real-life” connections. Users can also join Networks that relate to their location, school, job, etc. Connected users can then communicate by public or private messaging, file-sharing, recommendation of products, and discussion boards. Users can also add photos and tag the individuals who are captured in their photos. The actions that users have taken are listed on their Profiles in a Mini-Feed and the aggregated actions that all users have taken are listed on the Facebook homepage in a News-Feed.

Social Networking and PIPEDA

Facebook promises users that they “can use [Facebook’s] privacy settings at any time to control who can see what on Facebook”.14 In reality, Facebook assumes implied consent for users through its default privacy settings. These settings automatically share a user’s entire Profile with Friends and a user’s entire Profile except for contact information with Network members. This means that a thirteen-year-old15 who joins the Toronto Network will automatically share their information with the thousands of members of the Toronto Network. The information that is shared on Facebook, such as sexual orientation, photos, relationship status, political views, and religion, is

Lisa Feinberg CIPPIC


126

often sensitive. Because Facebook’s Terms of Use require that user information must be true, users are not permitted to protect their privacy by hiding their identity. To opt out of the default privacy settings, users must take action themselves to find their settings and change them. By making default choices for users to share their sensitive information, Facebook appears to be violating Principle 4.3.4 of PIPEDA (Schedule 1), which requires express consent for the sharing of sensitive information.

Facebook sets default settings to share users’ photographs even more widely than their Profiles. Photo albums that are uploaded onto Facebook are defaulted to be broadcast to “everyone” or all Facebook users. Photos can hold very sensitive information about the individuals pictured in them. Serious implications could follow if these photos are released into the wrong hands.16 Accordingly, the Office of the Privacy Commissioner has recognized photographs as sensitive information.17 Therefore, Facebook is in another apparent violation of Principle 4.3.4 for sharing users’ sensitive photos with everyone on Facebook without express permission to do so. In our submission to the commissioner, we have suggested that Facebook should rather allow its users to opt into sharing their information.

What makes Facebook’s use of implied consent to share its users’ sensitive information even more troubling is their lack of notice for doing so. Upon registering for Facebook, users are invited to add Friends, join Networks, and enter their Profile information. However, at no point in this process are they directed to their default privacy settings and encouraged to adjust them. Without notifying users of their default settings, Facebook should not assume that users have given their implied consent to share their information with Friends and Network members.

Furthermore, Facebook has made it difficult for users to delete their accounts and stop sharing information via Facebook. Under Facebook’s account settings, users may choose to “deactivate” their accounts but not to delete them. Deactivated accounts are not accessible to other Facebook users, but they do remain on the Facebook system. Facebook does not specify how long they retain information from deactivated accounts. Facebook claims that the deactivation option benefits users who want to take a

“holiday” from Facebook and revive their accounts at a later date. To delete their accounts completely, users must email a request to Facebook. We have submitted that it should be as easy to delete an account as it is to deactivate one. We have submitted that the request process currently in place constitutes a violation of Principle 4.3.8, which sets out that users should be able to withdraw consent to share their information at any time.

Advertising and PIPEDA

Facebook is collecting user information for the purpose of advertising without sufficiently notifying them. Facebook allows advertisers to target ads to its users using search criteria such as location, sex, age, education status, workplace, political views, and relationship status. However, these advertising activities are not made clear to Facebook users. PIPEDA Principle 4.3.2 sets out: “Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used.” Compared to its social networking activities, Facebook’s advertising activities are relatively covert. In its welcome page, Facebook makes no mention of its advertising activities. Similarly, Facebook does not notify users of its advertising activities during the registration process. Facebook does not mention its advertising activities in its Privacy Policy. However, this notice is clouded by complicated language that would be difficult for many Facebook users to decipher. We have submitted to the commissioner that this constitutes a violation of the notice requirement in Principle 4.3.2. We have suggested that Facebook be just as open about its advertising as it is about its social networking — Facebook should publicize its advertising activities on its welcome page and during the registration process.

Furthermore, Facebook is not allowing users to opt out of the “Social Ads” that it broadcasts to their Profiles.18 Principle 4.3.3 requires: “An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified, and legitimate purposes.” Facebook’s specified purpose is to facilitate social networking — not to facilitate advertising. Therefore, we have submitted that by not allowing its users to opt out of its Social Ads, Facebook is violating Principle 4.3.3.


•127

Third Party Applications and PIPEDA

Facebook is permitting third party application developers to collect and use an overly broad range of user information. Facebook allows third party application developers to create applications on the Facebook Platform. Examples of applications include Horoscope, which places daily horoscopes on a user’s Profile; Slideshow, which displays a slideshow of a user’s pictures on his or her Profile; and Scrabulous, which allows users to play online word games together. When users add an application, they must consent to allow the third party application developers to “know who I am and access my information”. This authorizes third party application developers to gain access to users’ name, email, birthday, address, religion, relationship status, education and work information, photos, and more. This range of information is clearly more extensive than what is necessary to operate a simple application like Horoscope. We have submitted that Facebook is violating Principle 4.4.1 of PIPEDA by not limiting the information that is collected to what is “necessary to fulfill the purposes identified”.

Furthermore, third party application developers may retain the information of users who have deleted their applications. Facebook never brings this practice directly to the attention of its users — rather Facebook buries notice of this practice in its Terms of Use. Furthermore, even if users do not add application themselves, their information will be accessible to applications that their Friends or members of their Network have added. Facebook’s Terms of Use states, “If your friends or members of your network use any Applications, such Platform Applications may access and share certain information about.” This sharing of information clearly occurs without users’ consent.

Most troubling, Facebook has not assumed responsibility for monitoring these applications. In its Terms of Use, Facebook states, “Third Party Applications are not investigated, monitored or checked for accuracy, appropriateness, or completeness by us, and we are not responsible for any Third Party Sites accessed through the Site or any Third Party Applications, Software or Content posted on, available through or installed from the Site, including […] privacy practices or other policies.” Rogue third party application developers could easily exploit user information for fraudulent purposes.19 Without Facebook assuming more responsibility over the third party applications, Canadians are not adequately protected from privacy threats.

Facebook’s Privacy-Friendly Image

Facebook’s suspect privacy practices are overshadowed by its privacy-friendly image. Facebook identifies one of its core principles to users as “You should have control over your personal information.”20 Facebook has marketed this control that it offers users as reaching “granular” levels.21 In its response to our complaint, Facebook has reiterated this message: "We pride ourselves on the industry leading controls we offer users over their private information. We believe that this is an important reason that nearly 40% of Canadians on the internet use our service.”22 Studies have shown that Facebook’s marketing practices have worked. Individuals are willing to share more information on Facebook than on MySpace because they trust Facebook more.23 Our findings reveal that this trust is not entirely deserved. Although Facebook is an excellent social networking tool, its privacy settings are crude relative to its promises.

Implications for the Facebook and Broader Community

Canadians on Facebook are sharing their information with invisible audiences — particularly with third party application developers and advertisers. As a result of this wide dissemination of information, there could be chilling consequences for Canadians. There have already been reports of cyberstalkers,24 cyberbullies,25 and identity thieves26 preying on their victims using social networking sites. Reputational damage can also occur as a result of information shared on social networking sites. Employees27 and students28 have been disciplined on the basis of information on social networking sites.

Canadians who are not on Facebook are not immune to these dangers. Facebook users are sharing pictures and other information about non-users. With one out of every three Canadians on Facebook, it is likely that many Canadian non-users have information about them on Facebook. More disturbingly, Canadian non-users may never know what is shared about them on Facebook, since they are not accessing the site. Non-users may request that Facebook remove their information from the site, however non-users can only do so if they know that the information is on Facebook in the first place. We have submitted to the Privacy Commissioner that this constitutes a violation of Principle 4.3 of PIPEDA, which requires informed consent for collection and use of personal information.


128

Conclusion

It is time for Facebook to live up to its privacy-friendly image. In this article, I have detailed CIPPIC’s submission to the Privacy Commissioner of Canada on Facebook’s suspect practices relating to social networking, advertising, and third party applications. In response to our complaint, Facebook has stated to the media, “We’ve reviewed the complaint and found it has serious factual errors, most notably its neglect of the fact that almost all Facebook data is willingly shared by users.”29 However, I have demonstrated instances of Facebook sharing information without the knowledge or consent of its users. We have called upon the Privacy Commissioner to address these instances. Until action is taken, the privacy of Canadians, Facebook users and non-users alike, is at risk.

Editor’s Note: Lisa Feinberg is in her second year of a combined Bachelor of Law and Masters Program held by the University of Ottawa and the Norman Paterson School of International Affairs. She is currently interning at the Canadian Internet Policy and Public Interest Clinic (CIPPIC). 1 “Statistics,” Facebook, online:

<http://www.facebook.com/press/info.php?statistics>. 2 See the self-description of Facebook in “About Facebook,”

Facebook, online: <http://www.facebook.com/about.php> [“About Facebook”].

3 Laura Locke, “The Future of Facebook,” Time (July 17, 2007), online: <http://www.time.com/time/business/article/ 0,8599,1644040,00.html> [“The Future of Facebook”].

4 See the privacy settings on Facebook: “Privacy Settings,” Facebook, online: <http://www.facebook.com/hom.php? ref=logo#/privacy>.

5 For an interesting look at how social networking sites subvert the traditional public and private divide, see Susan Barnes, “A privacy paradox: Social networking in the United States” (2006) 11:9 First Monday, online: < http://www.firstmonday.org/ issues/issue11_9/barnes/index.html>.

6 danah boyd & Nicole Ellison, “Social network sites: Definition, history, and scholarship” (2007) 13:1 Journal of Computer-Mediated Communication, online: <http://jcmc.indiana.edu/vol13/issue1/boyd.ellison.html>.

7 See for example, the Facebook group “Fair Copyright for Canada” founded by Michael Geist in response to Copyright bills introduced by the Canadian Government. This group has over 84,000 members to date.

8 See article on how youth use social networking sites to explore their identities: danah boyd, “Why Youth (Heart) Social Network Sites: The Role of Networked Publics in Teenage Social Life” in David Buckingham ed., MacArthur Foundation Series on Digital Learning – Youth, Identity, and Digital Media (Cambridge: MIT Press, 2007) at 119.

9 See for example article about how independent musicians are promoting themselves on MySpace: Katheryn Masterson, “MySpace, MyStage,” Chicago Tribune – RedEye, online: <http://www.futureofmusicbook.com/ ?s=masterson>.

10 S.C. 2000, c. 5 [PIPEDA].

11 For more information, see full complaint online:

<http://www.cippic.ca/uploads/CIPPICFacebookComplaint_29 May08.pdf>.

12 “About Facebook,” supra, note 2. 13 “Profile” is capitalized, because it is a technical Facebook term.

Other technical Facebook terms used here include Friends, Net-works, Mini-Feed, News-Feed, Terms of Use, and Privacy Policy.

14 “About Facebook,” supra, note 2. 15 To join Facebook, users must self-declare that they are thirteen

years old or older. 16 See for example, a teacher who was disciplined for a MySpace

photo entitled “drunken pirate” that depicted her in a pirate hat drinking from a plastic cup: “College sued over “drunken pirate” sanctions,” The Smoking Gun (April 27, 2007), online: <http://www.thesmokinggun.com/archive/years/2007/0426072 pirate1.html> [“drunken pirate”].

17 Office of the Privacy Commissioner of Canada, “Photographing of tenants’ apartment without consent for insurance purposes,” PIPEDA Case Summary # 349, online: <http://www.privcom.gc.ca/cf-dc/2006/349_20060824_e.asp>.

18 Users can opt out of other forms of advertising, such as Beacon — the broadcast of actions taken on Facebook’s partner websites.

19 See privacy concerns raised by Facebook third party application “Compare People”: Chris Williams, “Facebook application hawks your personal opinions for cash,” The Register (September 12, 2007), online: <http://www.theregister.co.uk/2007/09/12/facebook_compare_ people/>.

20 See “Privacy Policy,” Facebook, online: <http://www.facebook.com/policy.php>.

21 “The Future of Facebook,” supra, note 3. 22 Maggie Shields, “Facebook ‘violates privacy laws’,” BBC News

(May 31, 2008), online: <http://news.bbc.co.uk/2/hi/technology/7428833.stm> [“Facebook ‘violates privacy laws’”].

23 C. Dwyer, S.R. Hiltz, and K. Passerini, “Trust and privacy con-cerns with social networking sites: A comparison of Facebook and MySpace,” Proceedings of AMCIS 2007 (2007), online: <http://csis.pace.edu/~dwyer/research/DwyerAMCIS2007.pdf>.

24 See for example, reports of sex offenders pursuing minors on MySpace: Kevin Poulsen, “MySpace Database Search Starts Yielding Sex Offender Busts,” Wired Blog (June 14, 2007), online: <http://blog.wired.com/27bstroke6/2007/06/ myspace_databas.html>.

25 Stefanie Olsen, “A rallying cry against cyberbullying,” CNET (June 7, 2008), online: <http://news.cnet.com/8301-10784_ 3-9962375-7.html>.

26 See for example, the woman who pretended to be a young boy on MySpace to communicate with young neighbour: Scott Michaels, “No charges in MySpace Suicide,” ABC NEWS (December 3, 2007), online: <http://abcnews.go.com/thelaw/story?id=3946124&page=1.> See also American student who used Facebook to get informa-tion for identity theft purposes: Will York, “Student arrested on identity theft charges,” 78 The Pacer 19 (February 2, 2006), online: <http://pacer.utm.edu/2946.htm>.

27 “drunken pirate,” supra, note 16; “Employers look at Facebook too: Companies turn to Online Profiles to see what applicants are really like,” CBS NEWS (July 7, 2008) online: <http://www.cbsnews.com/stories/2006/06/20/eveningnews/ main1734920.shtml>.

28 See for example, Ryerson student who was suspended for sharing information in a Facebook study group: Louise Brown, “Student Faces Facebook Consequences: Freshman hit with 147 academic charges for online study network at Ryerson Uni-versity,” The Toronto Star (March 6, 2008), online: <http://www.thestar.com/news/gta/article/309855>.

29 “Facebook ‘violates privacy laws’”, supra, note 22.