Facebook shares its users' personal information with developers who create games and quizzes in a way that breaches Canadian privacy law, the Office of the Privacy Commissioner of Canada has found.

The popular social networking site, which is used by 12 million Canadians and 200 million people worldwide, also keeps personal information indefinitely after users deactivate their accounts, contrary to the Personal Information Protection and Electronic Documents Act, says the report released Thursday by assistant privacy commissioner Elizabeth Denham.

The office's main concern was that users could not always give "meaningful consent" to the use of their personal information due to a lack of transparency on the site.

"We found that, although Facebook provides information about privacy issues, it is often confusing or incomplete," Denham said at a news conference.

Users should be able to opt out of actions that could lead them to lose control over their personal information, she added. In some cases, that information could then be used for marketing purposes or even identity theft.

Facebook declined interview requests Thursday, but issued a statement saying it is about to introduce new privacy features that it believes "will keep the site at the forefront of user privacy and address any remaining concerns the commission may have." It added that in the meantime, it will continue to work with the commissioner's office and to raise awareness about its privacy controls.

4 areas of concern

The Office of the Privacy Commissioner's report found that Facebook continues to breach PIPEDA in four ways and it made recommendations to correct the problem. It found:

Facebook doesn't have enough safeguards to prevent 950,000 third-party developers around the world from getting unauthorized access to users' personal information, nor does it ensure users have given "meaningful consent" to allow their personal information to be disclosed to the developers. Recommendation: Developers should only get the information needed to run the application. Users would have to specifically consent to the release of that information after being told why it is needed. Information about anyone other than the user would not be disclosed.

Facebook keeps information from accounts deactivated by users indefinitely. Recommendation: Facebook should have a policy to delete the information after a reasonable length of time, and users should be informed of the policy.

Facebook keeps the profiles of deceased users for "memorial purposes" but does not make this clear. Recommendation: Information about use for memorial purposes should be in Facebook's privacy policy.

Facebook allows users to provide personal information about non-users without their consent. For example, it allows them to tag photos and videos of non-users with their names, and provide Facebook with their email addresses to invite them to join the site. It keeps the addresses indefinitely. Recommendation: Facebook should only keep non-users’ email addresses for a reasonable, specific length of time and should make its users aware that they need to seek consent of non-users before posting information about them.

Users' responsibilities

Denham and privacy commissioner Jennifer Stoddart emphasized, however, that they aren't telling people to stay away from social networking sites.

"We all understand that social networking sites can be a wonderful way to connect," Stoddart said at the news conference. She added that not everyone sees privacy in the same way, and some people may be more willing to share personal information more widely than others.

Denham added that users also need to take responsibility by reading privacy policies and using the information to make their own choices.

The investigation was launched by the privacy commissioner's office in response to a complaint from the Canadian Internet Policy and Public Interest Clinic, which is based at the University of Ottawa.

Personal Information Protection and Electronic Documents Act PIPEDA specifies how private sector organizations may collect, use or disclose personal information in the course of commercial activities. Under the act, under most circumstances: Personal information must be collected for a specific purpose and cannot be used for other purposes.

The information cannot be collected unless the person that the information belongs to has been informed and has provided consent.

The information can only be kept for a specified amount of time, and must be destroyed when it is no longer needed to fulfil its original purpose.

Jordan Plener, a law student who initiated the complaint on behalf of CIPPIC, said he had a number of concerns about areas such as Facebook's default privacy settings and the personal information available to developers.

"For a hangman application, for example, there is no use for the developer to know where the person lives or have their personal email address."

The complaint cited allegations on 12 topics. Denham deemed allegations about four topics unfounded. Facebook accepted Denham's recommendations and resolved problems in four other areas.

Plener said that was a good start. But he noted that so far, Facebook has refused to accept Denham's other recommendations.

With respect to the four remaining topics, the assistant privacy commissioner has asked Facebook to reconsider its recommendations to resolve the problems and said she will follow up in 30 days. If Facebook does not comply at that point, the privacy commissioner's office can have its recommendations enforced by the Federal Court.

Denham noted that the company has been co-operative throughout the investigation, and she is hopeful that it will comply.