Saturday, October 22, 2011

Facebook Ireland Facing Audit Over Privacy, ‘Shadow Profiles’


Irish data protection officials confirmed Friday that they will conduct a “comprehensive audit” of Facebook’s Ireland operations amidst complaints about the amount of deleted data stored by the social network, among other things.

The audit, which will begin before the end of the month, will “assess Facebook’s compliance with the requirements of the Irish Data Protection Acts as they apply to its users outside of the U.S. and Canada,” Ciara M. O’Sullivan, a spokeswoman from Ireland’s Office of the Data Protection Commissioner, said in a statement.

Part of the audit will involve visits to Facebook’s Dublin offices, which O’Sullivan said will “take a number of days.” Officials expect to be done by year’s end.

“Facebook is cooperating fully with the audit and we would anticipate that it will implement any necessary changes to comply with any requirements identified,” she said.

The issue is making headlines thanks to a 24-year-old Austrian law student, Max Schrems, who asked Facebook to turn over the data it had stored about his Facebook activity and was shocked to find just how much information that included. Since issues concerning Facebook users outside of the U.S. and Canada are handled by Facebook’s Dublin office, Schrems filed a variety of complaints with Irish officials, asking them to investigate.

In an August letter to Schrems, Assistant Data Protection Commissioner Tony Delaney said the commissioner “will investigate your complaints using his full legal power if necessary.” On Friday, O’Sullivan said her office had already planned an audit of Facebook Ireland prior to Schrems’ complaint, but his concerns “will also be assessed on the audit.”

In June, amidst the controversy over Facebook facial-recognition technology, Ireland’s data protection commission said it was “in contact with Facebook” over the tagging feature because it “needs to be examined for compliance with Irish data protection requirements.”

According to The Guardian, Facebook could face fines of up to €100,000 ($139,000) for violations of data protection laws.

Facebook Creating Shadow Profiles?

Schrems’ complaint is chronicled via europe-v-facebook.org (which, ironically, has its own Facebook page). According to The Guardian, the effort started in June after Schrems attended a lecture by a Facebook exec at California’s Santa Clara University. He asked that Facebook hand over all the data that it had on him, as is permitted by EU data laws, and the company responded by sending him a CD with the information.

Schrems was apparently shocked by all the data Facebook stored—from all the people he had “poked” and instances of untagged photos to deleted posts and chat logs. He decided to file 22 separate complaints with Irish officials.

Among those complaints is one accusing Facebook of creating “shadow profiles” with the data imported from various outside services, like mobile phones, email contact lists, instant messaging services, invites to friends not on Facebook, and more.

“Facebook Ireland is gathering excessive amounts of information about data subjects without notice or consent by the data subject. In many cases, these information might be embarrassing or intimidating for the data subject,” the complaint said. “This information might also constitute sensitive data such as political opinions, religious or philosophical beliefs, sexual orientation and so forth.”

He told The Guardian that some of the data could be rather damning if Facebook were hit by a security breach and the info was revealed. “I’m not saying there was anything criminal or forbidden there, but let’s just say that, as someone wanting to work in law, there was stuff which could make it pretty impossible for me to get a job,” he said.

In a statement, Facebook said “the allegations are false.”

“For example, we enable you to send emails to your friends, inviting them to join Facebook. We keep the invitees’ email address and name to let you know when they join the service. This practice is common among almost all services that involve invitations—
from document sharing to event planning—and the assertion that Facebook is doing some sort of nefarious profiling is wrong,” the company said. “In addition, Facebook offers more control than other services by enabling people to delete their email address from Facebook or to opt-out of receiving invites.”

Deleted From Facebook? Think Again

The issue of Facebook and deleted data last popped up in February 2009 after an update to the social network’s terms prompted confusion over how Facebook handles people’s information.

In a blog post, Facebook chief Mark Zuckerberg said Facebook comments made outside of your profile or messages sent to other members will live on even if you delete your profile.

“When a person shares something like a message with a friend, two copies of that information are created—one in the person’s sent messages box and the other in their friend’s inbox,” he wrote at the time. “Even if the person deactivates their account, their friend still has a copy of that message.”

“We think this is the right way for Facebook to work, and it is consistent with how other services like e-mail work. One of the reasons we updated our terms was to make this more clear,” Zuckerberg wrote.

Facebook reiterated this stance on Friday. “As part of offering people messaging services, we enable people to delete messages they receive from their inbox and messages they send from their sent folder. However, people can’t delete a message they send from the recipient’s inbox or a message you receive from the sender’s sent folder. This is the way every message service ever invented works. We think it’s also consistent with people’s expectations. We look forward to making these and other clarifications to the Irish DPA.”

In 2008, meanwhile, Facebook took some heat for keeping copies of deleted member profiles on their servers. Facebook then updated its privacy policy to say that it keeps data from “deactivated” accounts for those who wish to rejoin the site at a later date. Those who want their information entirely wiped from the site must go one step further and request that Facebook permanently delete their profiles.

After deletion, “some information may remain in backup copies and logs for up to 90 days,” Facebook says on its privacy policy. “You should only delete your account if you are sure you never want to reactivate it.”