Canadian Commissioner Says Facebook Has 'Privacy Gaps"

From time to time, I've written about Facebook due to its privacy and potential data breach risks. Canada.com reported:

"Canada's privacy commissioner on Thursday ruled that Facebook is in violation of the country's privacy law, citing "serious privacy gaps" in the way the popular social networking site treats its 12 million Canadian users. And if the California-based company doesn't comply with Jennifer Stoddart's directives within 30 days, Facebook will likely be hauled to Federal Court to face a judge with the power to order the company to implement the recommendations."

About 12 million Canadians use Facebook. The probe found four problems:

"In addition to an "overarching" concern relating to the "confusing" or "incomplete" way in which Facebook provides information to users about its privacy practices, the report concluded Facebook's policy to keep indefinitely the personal information of people who have deactivated their accounts is a violation of the privacy law. But the biggest sticking point has to do with the practice of sharing users' personal information with third-party developers that create Facebook applications, such as games and quizzes."

Experts estimate that there are maybe a million Facebook application developers scattered across 180 countries. I'd have to agree. When you launch an application like a quiz, it is unclear exactly what information is or will be shared and specifically to whom. For this reason, I don't use Facebook applications.

Quite predictably:

"... Chris Kelly, Facebook's chief privacy officer, said the site is continually refining its privacy controls and "certainly, we think that our approach right now is compliant with Canadian law... The probe began last year after the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa filed an 11-part complaint, alleging Facebook violated key provisions of Canada's Personal Information Protection and Electronic Documents Act, the country's private-sector privacy law."

David Fewer, acting director of the University of Ottawa law clinic that filed the complaint, said this about Facebook's third-party applications:

"This is black-letter law they're applying here... Facebook can't say the law is wrong here, or is being misinterpreted. Instead, what they need to do is go back and re-engineer how they do third-party apps. I think they rolled out third-party apps out without figuring privacy obligations into the design. There was a fork in the road early on in the design. They went left and they needed to go right. And left is where the money tree is..."

For these reasons, I don't use thrid-party applications at Facebook. It's imply impossible to tell exactly what data a consumer is releasing, who the application developer is (e.g., some are more trustworthy than others), and what other companies that application developer will share consumers' personal data with. Regardless of Facebook's new privacy policy, the site seems intent on operating with an opt-out-driven ad system which places far too much burden on consumers to constantly monitor their privacy settings to ensure that Facebook hasn't started some new program that harvests and syndicates personal data.

Fraud And Scam Warnings To Consumers From the Better Business Bureau

A couple warnings to consumers so you don't get "mugged," become a fraud victim, or pay more than you have to. First, the BBB advises consumers to read the fine print at online social media sites, especially Facebook, since:

"... the large print doesn’t always tell the whole story... in January, BBB issued a warning to consumers about online ads and Web sites that use Oprah’s name to sell acai berry supplements as weight-loss miracles... these ads are still common on Facebook and MySpace and link to fake blogs such as www.jennylosesweight.com that are designed to look like testimonials of women who lost weight on the acai supplements... The phony blogs link to Web sites that offer a free trial of an acai supplement, and while the customer may think they only have to pay shipping, they could get billed as much as $87.13 every month if they don’t cancel before the trial period ends."

Another scam consumers should be aware of:

"There are many ads on Facebook that advertise ways to make easy money from home... the ads link to blogs that were supposedly created by people who made money through a work-at-home program. One such blog written by a “Sarah Roberts” claims that she added “$67,000 a year to my family’s income working 10 hours a week... The blogs direct readers to Web sites for programs such as Internet Money Machine and Easy Google Cash where they can sign up for a seven-day trial access to information on how to make money from home. While the free trial supposedly only costs $1.95-$2.95, the individual will be charged $69.90 every month..."

Be sure to follow the above link to learn about more scams. Second, the BBB warns consumers about automated phone calls offering lower credit card interest rates:

"Consumers across the U.S. and Canada are sounding off to Better Business Bureaus about incessant automated telemarketing calls promising to lower interest rates on their credit cards. Not only are the calls a nuisance and violate U.S. and Canadian Do-Not-Call laws, but some companies behind the calls are ripping off consumers by charging large up-front fees to negotiate lower interest rates with credit card companies — something consumers can do on their own for free... After the initial recorded message, consumers must dial another number to be connected to a live person. The live “operator” usually starts the sales pitch by asking for the consumer’s credit card number and whether the consumer is interested in lowering their interest rates. From there, callers begin closing the sale, asking if the consumer is willing to pay – usually from $700 to $1,000 - to have their firm contact the credit card company and negotiate lower rates."

About telephone offers, the BBB advises consumers to:

"Never give personal information, including Social Security, bank or credit card numbers, over the phone to an unknown telemarketer. Always research the company first by reviewing its Reliability Report at www.bbb.org.; When considering any company offering any type of financial assistance, insist on getting a contract in which all terms and conditions are clearly explained before signing up or providing credit card or other payment information; U.S. consumers can place their home phone number on the federal Do Not Call list by visiting www.donotcall.gov. If the consumer’s number is already on the list but continues to receive telemarketing calls—or is receiving robocalls on a cell phone—he or she can use the same Web site to report the incident to the FTC. Canadian consumers can learn more at www.lnnte-dncl.gc.ca.

Canadian Officials Criticize TJX's Data Security

More about TJX from yesterday's Daily Business Update:

"Retailer TJX Cos. failed to put in place adequate security safeguards to protect customer information, the privacy commissioner of Canada said today."

TJX operates the Winners and HomeSense retail chains in Canada. The news article explained further:

"A joint investigation by Canada's commissioner of privacy and Alberta's privacy commissioner was launched after TJX, the Framingham-based operator of such chains as T.J. Maxx and Marshalls, disclosed in January that its computer system had been breached, resulting in the theft of millions of credit card and debit card numbers..."

Perhaps most importantly:

"The company collected too much personal information, kept it too long, and relied on a weak encryption technology to protect it - putting the privacy of millions of customers at risk..."

Do you still want to shop at Marshalls, HomeGoods, and/or TJ Maxx? First, read this background about TJX's out-of-court settlement. Then, read a January 2007 TJX press release about how TJX was improving its data security:

"[TJX] immediately engaged General Dynamics Corporation and IBM Corporation, two leading computer security and incident response firms. TJX has been working aggressively with these firms to monitor and evaluate the intrusion, assess possible data compromise, and seek to identify affected information. These firms have assisted TJX in further securing its computer systems and implementing security upgrades."

Yep! That's the same IBM that suffered its own data breach in February 2007 and lost an undisclosed number of records with sensitive personal data about its employees and former employees.

Last, the N.H. Department of Justice web site posts copies of all data breach notification letters it receives. I checked the site this morning and noticed that TJX hadn't updated their January breach notification letter, portions of which contain old and obsolete information.