Personal Privacy Impact Assessments for Facebook

I’m reading Canada’s Assistant Privacy Commissioner Elizabeth Denham’s recently released findings into complaints levied against Facebook. (Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC)against Facebook Inc. Under the Personal Information Protection and Electronic Documents Act.) My first reaction to this is, frankly, one of jealousy. I wish we had a similar commissioner/czar/wonk here in the US. I suppose elements of the FTC work in this regard but without the same charter, which is too bad.

Section 4 of the report is, for me, where the action is at. Section 4 is concerned with 3rd party application in Facebook and use of personal data by those applications. As the Facebook platform grows with new additions like Facebook Connect, issues of third-party access to user information will continue to be a concern to those who pay attention to such things. There’s a challenge here as the ways in which 3rd party applications use user information is hard to decipher, as it is, from an end-user perspective, a fairly black-box operation.

I wonder if Facebook could build a personal privacy impact assessment (PPIA) app. The PPIA would analyze the action you are about to take on Facebook, your privacy settings, the 3rd party apps you’ve allows access to your profile, and the privacy settings you have set for those apps. The PPIA could give you a quick read on which applications would be privy to the action you are about to do. It could indicate which groups of friends (based on your privacy settings) would see what you are about to do. Essentially, it would let you see across how much of your social graph a certain action (like posting a link or photo) will travel.

We all have PPIAs built in – one that is cultivated through social interactions schooled by social norms. When it comes to dealing with large systems, like Facebook, big business, or the government for that matter, we all can use a little help.  I wonder if someone can get a PPIA prototype up ahead of Catalyst to at least give me a warning about potentially embarrassing photos being posted somewhere…

(Cross posted from Burton Group’s Identity Blog.)

3 Replies to “Personal Privacy Impact Assessments for Facebook”

  1. Sounds like an interesting idea, though I expect that something like this would be against FB’s interests in getting people to contribute as much personal data as possible to the site. While the OPC’s report began to crack down on third-party developers, I’d wish they’d gone a step further and demanded that FB start actually regulating how third-parties informed users of data usage habits (i.e. how data could be used, where it is stored, retention periods, etc). In effect, I’d love to see FB have to regulate third-party developers’ data according to the same recommendations that the OPC offered for how FB itself regulated the data that they controlled. Unfortunately, I don’t see this happening until regulators look at companies like FB as ecosystem developers that should be responsible for the actions of the ecosystem, as opposed to developers that just provide a data-mining playground for third-parties.

  2. I thought about bringing that very point up. I’d love to see FB require developers to register a manifest which includes which data elements a developer is using. But, from a FB perspective, that would slow down adoption and application development. Once the genie is out of the bottle, it is damn hard to stuff back in.

    In the meantime, I’m half considering writing a Facebook application to test my own privacy settings. Might be worth a laugh.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.