Issuing the investigation under the country's Personal Information Protection and Electronic Documents Act, it looked at whether Facebook ‘was providing a sufficient knowledge basis for meaningful consent by documenting purposes for collecting, using, or disclosing personal information and bringing such purposes to individuals' attention in a reasonably direct and transparent way.'
It also focussed on the retention of personal information and security safeguards but questioned several processes and policies that the social networking website employs over data entry. These specifically related to a user's date of birth, privacy settings regarding who can see a user's profile and questioned the legitimacy of third-party applications.
Now I realise that I could spend the next few paragraphs cutting and pasting from the report when you could just as easily download the PDF and read it yourself or even read our news story, but I think it is an interesting take on the security on one of the most used and accessed sites on the web.
To be fair, Facebook does not appear to have the best reputation within security circles At an (ISC)2 conference earlier this year, Spencer Parker, director of product management at ScanSafe, claimed that the spread of worms and malware on social networking sites had been ‘unbelievable' and asked how many of the delegates had blocked access to Facebook.
Parker said: “Even if it was taken down a day later they already have information on you, we have got to educate users on social networking. There is no doubt that it is a great tool but do you really need 1,000 friends? Do you need that many? We need to get out of the culture of promiscuous friending.”
The report followed the same lines by claiming that ‘social networking sites like Facebook present an interesting challenge' as ‘on Facebook, users decide what information they provide in order to meet their own needs for social networking. In order for individuals to join Facebook, Facebook requires that users provide only four pieces of personal information: their name, email address, date of birth and gender. All other information is uploaded voluntarily by the user for the express purpose of sharing it with others.'
The privacy settings on Facebook have proved to be a major stumbling block for some time now. Back in February I blogged on the debacle surrounding Facebook privacy settings when a crucial line was removed that stated: ‘you may remove your user content from the site at any time. If you choose to remove your user content, the license granted above will automatically expire, however you acknowledge that the company may retain archived copies of your user content'.
This naturally led to a change back before privacy terms were revised, but the damage was done. This week it took a further step to prove its stance on security with measures introduced that will aim to reduce the amount of compromised accounts with a ‘suspicious activity' page.
Jake Brill, a project manager for the site integrity team at the social networking site, said: “We've spent the last few months improving the way to guide people through the process of regaining access to their account after it's been compromised and used to send spam. Currently, we send emails explaining what happened and provide links to remedy the situation. Now we're moving towards a new model that also involves clear and simple steps taken within Facebook itself. In doing so, we can ensure that the person logging in is the true owner of the account, thereby preventing hackers from using it to send spam in the future.
“Going forward, we'll continue to send a notification email to the tiny percentage of people whose Facebook accounts have been compromised. What's new is that when these people try to access the site, they'll first see a page explaining what happened.”
Facebook estimates that only 20-30 per cent of its 200 million users change their privacy settings, and that it selected the default privacy settings to reflect what they thought users wanted.
Facebook stated: “We believe that users should be empowered to make their own choices about sharing personal information. We facilitate this choice by setting powerful defaults that reflect common sense views about availability and allowing users to change the settings if they wish.”
It further claimed that it would not be practical to force users to pick all their privacy settings before being allowed to register, as the sheer number of screens they would have to go through would deter them from ever signing up for the service.
The report finally claimed: “I would suggest that Facebook is not doing as much as it should to inform users about privacy settings at registration.” Jennifer Stoddart, privacy commissioner of Canada, claimed: “It's clear that privacy issues are a key concern for Facebook. And yet, we found some serious gaps. In some cases, Facebook must make changes to its site to bring it into compliance with Canadian privacy law.”
There is no doubt that the more kicks it takes the more it seems to recover due to its market share with Twitter being seen as a different entity and MySpace barely mentioned anymore. I doubt that this report will be any different to other attacks, mainly due to the constructive conclusion and Facebook's ability to reply to the claims made, but an intervention as serious as this will likely cause some changes.