Steven Mansour has written a nice roundup of various articles and blog entries about Facebook's stance on privacy. What is interesting to me is not so much the concentration on Facebook, it is that there seems to be a growing awareness of the importance and breadth of privacy issues amongst the general public, at least in the UK. Although I'm sure in the UK the cause of that interest is mainly because of our hapless government rather than Facebook, it is heartening to see people starting to think about the issues around online identity and data privacy.
Following on from my previous rant about the UK government "misplacing" the personal data of 25 million of the UK's citizens, it seems that I'm not alone in my dismay about their proposed "solution" - the National ID Card scheme. A group of six respected academics have written to a Parliamentary committee expressing their disquiet about the proposals:
Furthermore, biometric checks at the time of usage do not of themselves make any difference whatsoever to the possibility of the type of disaster that has just occurred at HMRC. This type of data leakage, which occurs regularly across Government, will continue to occur until there is a radical change in the culture both of system designer and system users. The safety, security and privacy of personal data has to become the primary requirement in the design, implementation, operation and auditing of systems of this kind.
The inclusion of biometric data in one's NIR record would make such a record even more valuable to fraudsters and thieves as it would - if leaked or stolen - provide the 'key' to all uses of that individual's biometrics (e.g. accessing personal or business information on a laptop, biometric access to bank accounts, etc.) for the rest of his or her life. Once lost, it would be impossible to issue a person with new fingerprints. One cannot change one's fingers as one can a bank account.
In that direction," the Cat said, "lives a Hatter and in that direction lives a March Hare... They're both mad."
"But I don't want to go among mad people," Alice remarked.
"Oh, you can't help that," said the Cat: "we're all mad here. I'm mad. You're mad."
"How do you know I'm mad?" said Alice.
"You must be," said the Cat, "or you wouldn't have come here."
Alice didn't think that proved it at all.
Lewis Carroll, Alice in Wonderland
Unless you've been living under a rock for the last few days, you must have heard that the UK Government has managed to lose the personal details of 25 million people. I've just been listening to Newsnight, and Jeremy Paxman was interviewing the hapless minister who was wheeled in to put his head under Paxo's axe. One of the questions asked was "Does this mean the end of the plans for a UK National Identity Card System?". The answer literally made my jaw drop. "No, because if we had everyone's biometric data, it would be much safer". WHAT??!! Unlike bank details, biometrics can't be changed - a point that was actually made by one of the other interviewees prior to the minister's imbecilic comments. How on earth would increasing the amount of sensitive (and in the case of biometrics, irreplaceable) data they collect make it "safer"?
The fact that the people responsible for losing the data actually believe that this tale of mind-boggling incompetence can actually be used to JUSTIFY collecting more of it is utterly, utterly astounding. It is quite frankly terrifying that a group of people who have decided they are going to force us to register on a National ID Database are so completely clueless about both the technology, its implications and the potential abuses of the data they are insisting we give them.
I think as a result of this cock-up of all cock-ups, the storm of protest against ID Cards is going to make the Poll Tax unrest of the 1990s look like a vicarage tea party.
I've had a reply from the UK Information Commissioner's Office saying that they are looking at my complaint, so things are moving there too. It also seems that I've sparked some interest in this topic, and it has been picked up by a couple of other sites:
The electrons were barely dry on my last post when I received an email from TRUSTe about the problems I'd had getting Facebook to close my account; the interesting bit is below:
Thank you for submitting your privacy complaint through the TRUSTe Watchdog Dispute Resolution program. The TRUSTe Compliance Team has reviewed the details of your complaint and we have determined that it is a valid privacy complaint. We have contacted www.facebook.com on your behalf and have outlined the steps necessary for proper resolution.
So my advice to you if you are having problems getting Facebook to close your account is to submit a complaint to TRUSTe.
As I documented in my last post, it isn't actually possible to leave Facebook, all you can do is 'deactivate' your account. I got in touch with Facebook and asked them to delete my account, and here is the reply I got from them:
If you deactivate, your account is removed from the site. However, we save all your profile content (friends, photos, interests, etc.), so if you want to reactivate sometime, your account will look just the way it did when you deactivated. If you do want your information completely wiped from our servers, we can do this for you. However, you need to remove all profile content before we can do this. Once you have cleared your account, let us know and we'll take care of the rest.
In return I got exactly the same response as the one above. I wrote back to Facebook yet again, repeating that that their response was unacceptable, and that I was therefore going to take the three courses of action I outlined above. I registered complaints at both TRUSTe, the ICO and I also emailed Channel 4 News, explaining my story.
Last week Channel 4 came to interview me, and the item went out on Channel 4 News on Saturday 17th November. A video of the item can be found on the Channel 4 website. There's also details of the response from Facebook to C4's questions about their policy and process for account closures. Once the item had aired, I wrote again to Facebook, explaining that their response was still unacceptable, and that I'd taken the three options I'd identified in my earlier mail. Here's an excerpt from my mail to Facebook:
The Channel 4 web page I refer to above says:
Vanessa Barnett, an internet lawyer with Berwin Leighton Paisner, told Channel 4 News: "The Data Protection Act is designed to protect individuals like me from having our data used in ways that we don't want. We get to choose how data gets processed, what people can do with it, and if we don't like it, we can say, 'Please stop'"
"Ultimately it's a question for the information commissioner as to whether someone is in breach of the act. And he has to balance two different things. Yes certainly, I as an individual have the right to say, 'please don't have my data,' but he also has to balance the rights of the business not to have to expend lots of money trying to get rid of that data."
So could Facebook argue that it's just impossible for them to provide an easier way to delete data? Or that they don't have the money to implement one? They didn't make that claim to us. In fact, they didn't engage with the question of why they need to retain data at all - they just didn't answer it.
Vanessa Barnett again: "One of the very key things that the information commissioner will look at is the resources of the business. And if that business has lots of money and lots of IT infrastructure, has the capabilities for example to easily write scripts to delete it, that will certainly sway the information commissioner into whether that data should have been deleted."
In the event that we learn that we have collected personal information from a child under age 13 without verification of parental consent, we will delete that information as quickly as possible. If you believe that we might have any information from or about a child under 13, please contact us at XXXXXXXX.
So it seems quite clear that Facebook *does* have the ability to delete accounts from the system, but for some reason chooses not to, other than for children of under 13. I will be pointing this out to the UK Information Commissioner.
Once again, I reiterate my case - Facebook has a duty to make it possible for users to delete their accounts in a reasonable and convenient manner, and from the statement on the Facebook Privacy page, Facebook clearly already has the mechanisms in place to make this possible.
I await your response with interest.
As well as sending my mail to the Facebook support person I had been dealing with, I also sent it to Chris Kelly, Facebook's Chief Privacy Officer, and Mark Zuckerberg, the Facebook CEO. Neither mail bounced, so I must have guessed their email addresses correctly. Earlier on today I received the following response from Facebook:
We have permanently deleted your account per your request. We do not retain any information about your account once it is deleted, and thus deletion is irreversible. Please let me know if you have any other questions or concerns.
Hurrah! Although to be honest, this raises almost as many questions as it answers. If Facebook has the ability to delete accounts so easily, why don't they make it available to users? In their written response to C4 they say that "Facebook does not use any information from deactivated accounts for advertising purposes." If that is the case, why do they retain the information at all? And although they aren't using it for "advertising purposes", are they making other use of it, and if so, what?
I'm still waiting for responses from either TRUSTe or the ICO, I'll be sure to blog about them when I receive them. In the meantime, if you want to get Facebook to delete your account entirely, you can always try mailing them, quoting the clear precedent they have set by closing my account. I really can't understand why Facebook make the whole process so difficult, they are an extremely popular service and the amount of work involved in closing accounts properly is tiny in comparison to the volume of activity the site sees.
I've just attempted to delete my Facebook account, only to find this on the 'deactivate' page:
Opt out of receiving emails from Facebook. Note: Even after you deactivate, your friends can still invite you to events, tag you in photos, or ask you to join groups. If you opt out, you will NOT receive these email invitations and notifications from your friends.
You can reactivate your account at any time by logging in with your email and password.
So quite clearly they DON'T actually delete your data, and I have been unable to find an option on the website to do this. I've emailed their privacy department, it will be interesting to see what response I get...