Seeking Solutions to the Mounting Social Media Privacy Concerns

The House of Commons Committee on Ethics, Accountability and Privacy recently launched a major new study into the privacy concerns raised by popular social media sites. The study promises to canvass a wide range of perspectives as elected officials grapple with emerging privacy issues and consider whether the current legal framework provides sufficient protection.

Canadians are among the most active social media users in the world, yet the growing reliance on sites such as Facebook, Twitter, LinkedIn, and Google+ has generated unease with the privacy implications of massive data collection. My weekly technology law column last week (Toronto Star version, homepage version) notes I was recently invited to appear before the committee and used my time to identify four areas in need of action.

First, the government should finish what it started. It has introduced and even passed legislation that can be helpful in addressing some concerns that arise from social media, yet these initiatives have stalled short of the finish line. For example, anti-spam legislation, which received royal assent in 2010, has still not taken effect as final regulations have not been approved.

Moreover, Bill C-12, the privacy reform bill that seeks changes arising from the 2006 privacy review, lags in the House of Commons with seemingly no interest to move the bill forward. In fact, the bill is already outdated as it fails to address issues such as privacy commissioner order making power, damages for privacy violations, and tougher disclosure requirements for security breaches.

Second, in many respects, social media and Internet companies are the most powerful decision makers when it comes to privacy choices. As my colleague Professor Ian Kerr says, the devil is in the defaults. In other words, the choices made by leading social media companies with respect to default privacy settings are the defacto privacy choices for millions of users. Given the increasing pressure to generate revenues, we can expect those default choices to change in aggressive ways to make greater use of user data.

There needs to be continued work on these defaults, initiatives to provide users with increased information and transparency, and steps to ensure that companies live by their privacy commitments.

Third, the introduction of Internet surveillance legislation earlier this year brought with it an avalanche of public outrage. While much of the focus was on the mandatory warrantless disclosure of subscriber information by telecom companies, the potential for social media and big data Internet sites to serve much the same purpose cannot be overlooked.

A recent investigation by the Privacy Commissioner of Canada into Nexopia, a Canadian social network, identified hundreds of law enforcement requests for customer name and address information, frequently for accounts that should been deleted months earlier. Social media creates a treasure trove of personal information that must enjoy full privacy protection and court oversight before disclosure.

Fourth, social media and the Internet do raise some unique issues that may require targeted responses. For example, some sites, including Facebook, use cookies to trace the web browsing habits of their users. Any third party site with nothing more than a Facebook “like” button allows the social media giant to track a visit to the site and retains the information for months.

A growing number of sites, including Yahoo, AOL, and Twitter, respect functionality found in Firefox browsers that allow a user to choose not to be tracked. Google has said it will implement similar technology in its Chrome browser.  However, many sites have been slow to adopt do-not-track and Facebook has thus far declined to do so.  Given the failure of industry to self-regulate, it is appropriate for government to step in with stronger measures to ensure that user choice is respected.

One Comment

  1. Besides Social Media, Some Commerce Sites Need a Rules Change
    Has there been any thought to regulating e-commerce sites? When I tried to buy tickets online through, I had to agree to them being able to use all the personal data I had filled out in the purchase form, even to the point of them sharing it with third parties. There was no opt out button. You want to buy tickets online? Agree that your data is theirs to use as they wish.

    I did not buy, will never buy tickets through their site.