Facebook: We’re updating our terms …

Most of us have received a number of emails pointing us to revised terms of use and privacy/data policies, or asking us to consent. These have been driven by the GDPR, the new privacy regime in the EU.

Facebook’s starts with:

Hi David,

We’re updating our Terms, Data Policy, and Cookies Policy to make sure you know how your data is used so you can make the choices that are right for you.

(You have all taken the time to read, understand and make informed choices under these, right?)

Facebook has been under increasing scrutiny over what it does with our information. Frankly, the notion of privacy is somewhat inconsistent with Facebook’s fundamental mission to share information. But at least Facebook is now complying with the tougher consent rules of the GDPR, and giving us the choices we deserve. Or are they?

At least one privacy advocate doesn’t think so. On the same day the GDPR took effect, Austrian lawyer Max Schrems launched complaints against Facebook through a crowdfunded group called None Of Your Business. The gist of the complaints is that Facebook’s consents are not compliant with the GDPR.

Even Apple is on the anti-Facebook, anti-tracking movement. At its WWDC developer conference this week it announced new features in its Safari browser to stop Facebook and others from collecting so much information.

Cross-posted to Slaw

Supreme Court of Canada overrides forum clause in Facebook agreement

The Supreme Court of Canada has decided that a British Columbia privacy class action may proceed against Facebook in the courts of BC, despite the contract naming California as the forum for legal actions.

My personal view is that in business to consumer contracts, if a court decides that a local law is important enough, or if the actions of the business offends local sensibilities, it will find a way to apply local laws and hear the case. This Douez v Facebook decision will be relevant for any future actions in Canada that question the applicability of portions of online or other business to consumer agreements.

Here are some points to take away from the case.

  • The decision only decided that the class action may proceed in BC. The substantive privacy claim has yet to be litigated.
  • The decision shows how difficult this issue is to decide. Of the 7 SCC judges, there were 2 different majority opinions, and a dissent by 3 judges. They were fairly consistent about the test, but came to different conclusions based on the facts and legal philosophy.
  • The case was decided based on the BC Privacy Act that includes a statutory privacy breach tort. It remains to be seen how it would apply to other provinces that may only have a common law privacy tort. Or how it would apply to other issues.
  • It does not render choice of law clauses irrelevant. Nor does it render click-wrap agreements unenforceable. It is still important for vendors to include clear choice of law and forum clauses.
  • It has created uncertainty, and vendors need to know that courts may choose to override forum clauses and perhaps others. The fairer a court perceives the document to be in general (especially in the context of local laws), the more likely it will be followed.
  • Getting privacy right is crucial. If vendors offer services to those in countries with strong privacy laws, they must pay close attention to those laws when designing their products and new features. That includes developing Canadian laws, and for those providing services to European customers, the pending GDPR.

Cross-posted to Slaw

Facebook Graph Search

Today’s Slaw post:

Facebook just announced a new search tool called Graph Search that is now in beta for a limited number of users.  It allows users to search based on information about their friends.  A search, for example, for a restaurant will return results based on the likes and interests of the searcher’s friends.

It seems that Facebook is respecting user privacy settings, and basing the search only on what users have chosen to make public.  But then again consent is all about context, and users may not have thought about such a feature when considering their privacy settings.

Facebook’s announcement has a section on privacy.  If you want more detail CNET has a good article talking about things that the search will look at (such as shared data from apps and tagged photos) and things that we should look at to make sure we are still comfortable with our settings in light of the search tool.


Facebook comments by juror causes mistrial

Today’s Slaw post

A Facebook comment by a juror made before a trial has resulted in a mistrial. CBC news reports that on the first day of a Moncton murder trial of Fred Prosser, the victim’s family brought to the judge’s attention the fact that one of the jurors was a member of a Facebook group against the accused, and had posted comments on it. The judge declared a mistrial to avoid the possibility that this juror had already tainted the rest of the jury.

You can hear David Fraser’s comments in this CBC interview. David comments that many people don’t appreciate that the rules of the offline world apply to the online world as well. I couldn’t agree more.

On the one hand, some people totally forget the old rules and do things on social media that they would never do in a letter to the editor. But on the other hand, some people are more comfortable with the risks of things they are familiar with than new things.

This often explains why some people do imprudent things online, and why some organizations try to unduly suppress online activity.


Commercial users of social media need to check terms of use

Today’s Slaw post:

It is becoming more common for businesses (and law firms) to have a corporate presence on social media platforms such as facebook, LinkedIn, and Google plus. Some take advantage of promotional uses such as contests on facebook.

It is important to look at the terms of use if you do that. facebook, for example, has terms that govern how contests can be run on facebook. I suspect many facebook contests run afoul of these terms, and get away with it only because facebook didn’t happen to catch it. I also suspect that many people running the contests are not aware that the rules exist, or if they do know, see others violating, so think they can get away with it too.

Violating the rules is dangerous, as there is a risk that the social media site might simply terminate the page, or even suspend the account. That would certainly be embarrassing and damage one’s reputation, and could, depending on the circumstances, attract the wrath of users or followers.






Facebook privacy fragile

For the London Free Press – October 25, 2010

Read this on Canoe

Postings to social network sites can be forced into evidence in legal proceedings

It seems like everybody is on Facebook or a similar social networking site. The prevalence of such websites has raised interesting questions relating to the level of privacy that should be afforded to users.

People often post intimate details concerning their lives and daily routines on Facebook. From a lawyer’s perspective, scattered among the minutia may lie pertinent information or evidence relating to legal proceedings the user is a party to.

Canada has some leading jurisprudence relating to this issue. A recent New York decision, Romano versus Steelcase, dealt with the defendant’s efforts to be granted access to the plaintiff’s current and historical Facebook and MySpace accounts.

The New York judge in Romano relied on the principles from the leading Ontario case on the matter, Leduc versus Roman from 2009. The judge in Romano echoed the reasoning in Leduc, demonstrating the court’s unwillingness to allow users a high level of protection.

In Leduc, the court held the moving party did not have the right to access the Facebook profile as a right. However, the court went on to state if the moving party can produce sufficient evidence there is information of relevance on the profile then the court can order the production of the evidence.

Based on the court’s finding it seems the level of privacy that will be afforded to Facebook profiles is considerably less than that afforded to other electronic communications, such as e-mails. The very purpose of social networking provides the reasoning behind this position.

The court noted in Leduc that to permit a party claiming damages for loss of enjoyment of life to hide behind self-set privacy controls on a website – the very purpose of which is to enable people to share information – risks depriving the opposing party of access to potentially pertinent information required for a fair trial.

Thus a high level of privacy will not attach to Facebook profiles because the very purpose of such profiles is to broadcast personal information to an audience or the public. If the moving party can demonstrate to the court that the profile might contain relevant evidence, the court can extinguish the user’s privacy rights and order the production of the evidence.

It should be noted if one’s profile is open to the public all information contained in it is fair game and no court order is required. A lawyer cannot however add a party as a friend in order to gain access to private information; this is an ethical breach.

The reasoning in Leduc has been adopted and followed in numerous cases in Ontario. It seems one should not assume information broadcast on their private profile is protected from the court’s gaze.

The lesson handed down by Leduc is we should be careful about what we post on social networking sites, as that information could end up being thrust under the microscope and laid bare in court.

Facebook v Privacy Commissioner

David Fraser points out that the year Facebook said it needed to address privacy issues raised by the Canadian Privacy Commissioner is over, and there is speculation that the Commissioner may not be satisfied.

It will indeed be interesting to see how this shakes out.

Frankly, the things that Facebook does from time to time suggests that Facebook / Zuckerberg either doesn’t understand or doesn’t care about privacy. 

Privacy issues can be complex and controversial – but the basic concepts of personal choice, transparency as to what is being done with one’s info and how to control that in a simple manner, and opt-in to new privacy sensitive features – should be easy to get.

Privacy worries spark backlash FaceBook: Popular site makes personal information more available

For the London Free Press – June 21, 2010

Read this on Canoe

Many people are not concerned about their privacy on Facebook – but they should be. Facebook’s recent changes are a good lesson in how not to make changes that affect or control privacy.On April 21, 2010, at a Facebook developers’ conference called “F8”, the company introduced new features that essentially allow Facebook users to share more information about themselves with more people.

This sounds great, but the changes were made in a way that opened up people’s information without asking them first.

In other words, the new privacy defaults were more permissive than the previous defaults, and things that were private suddenly became public. Privacy options were expanded, but many found the options too complex and difficult to understand, thus requiring a lot of time and energy for each user to go in and adjust the settings.

That assumes of course that users first found out about the changes, understood that they needed to alter privacy settings, and took the time to actually do it.

Facebook believes that more users want to share more information about themselves as society becomes more transparent, and the new default settings reflected this. This is different from the more private attitude that Facebook started out with.

Frankly, that’s a decision that users must decide for themselves on an individual basis. You and I should get to decide that, not Facebook founder Mark Zuckerberg. Transparency is a good thing when it comes to understanding privacy choices, but transparency about an individual’s information is a decision that each individual must get to make for themselves.

Transparency is a concept that is now in vogue for business and government alike. It is about accountability to their stakeholders. That concept does not, however, translate to us as individuals or our personal information.

It may be that Facebook was trying to be more like Twitter. The difference is that everyone knows that comments one makes on Twitter can be seen by anyone, as Twitter’s fundamental purpose is to share one’s thoughts with the world. That’s not the understanding people have when they sign up for Facebook.

User outrage has lead to recent changes. Facebook has created more simplified options on their privacy settings page, including cutting the number of settings from 50 to around 15 and consolidating seven pages of choices into three.

The lessons here for anyone providing services are numerous:

– Don’t make changes that automatically open up user information more than it already is. 

– Make privacy choices as clear and simple as possible.

– Make clear what information will be shared with whom, so users can make informed choices.

– Set defaults conservatively and allow users to open it up – not the other way.

– Think about privacy when doing new things to get it right at the outset. 

And if you are a Facebook user and have not looked at your privacy settings recently, take another look and change them if they are not to your liking.

Privacy – its about informed choices

3 completely different privacy articles taken together illustrate how privacy is really about informed choices.

First, a Techdirt post by Mike Masnick about a musician from Saskatoon that sought out the Google street view car to get his photo taken to promote his band.   The point is that he wanted the publicity and sought it out.   It was his choice.  That’s unlike the pervasive surveillance culture such as in the UK where one does not have a choice.


Second, Boing Boing’s Cory Doctorow refers to Google CEO Eric Schmidt’s comment that  privacy isn’t important, and Bruce Schneier’s brilliant response to that as follows:

Google CEO Eric Schmidt says privacy isn’t important, and if you want to keep something private, “maybe you shouldn’t be doing it in the first place” (in other words, “innocent people have nothing to hide.”)

Bruce Schneier calls bullshit with eloquence: “For if we are observed in all matters, we are constantly under threat of correction, judgment, criticism, even plagiarism of our own uniqueness. We become children, fettered under watchful eyes, constantly fearful that — either now or in the uncertain future — patterns we leave behind will be brought back to implicate us, by whatever authority has now become focused upon our once-private and innocent acts. We lose our individuality, because everything we do is observable and recordable.”

(There is a T-shirt or poster waiting for a condensed version of that)

Third, the  EFF posts about the good, the bad, and the ugly about Facebook’s new privacy changes.  I know its a pain to have to take the time to deal with it – but we all need to go to our Facebook accounts and change whatever we need to.   Keep in mind that its our choice how much we want others to see, both by our privacy settings, and what we choose to post in the first place.