Click here for PDF of this article

Does Facebook invade user’s privacy?

With an estimated worth of US$1 billion and 58 million registered users, Facebook’s booming popularity has attracted large companies to partner up with Mark Zukerberg (Facebook’s creator) in using Facebook’s new advertising system, Beacon. With a population double that of Australia and spread across multiple countries, large companies such as CBS Interactive, STA Travel, Travelocity, TypePad, and WeddingChannel.com saw the potential for advertising and all participated in Facebook’s launch of Beacon in November 2007. However, Facebook’s aggressive advertising campaign came under heavy criticism from privacy advocates that resulted in Facebook withdrawing its new system amongst concern that it violated privacy laws.

How Beacon works

Beacon requires companies to put a piece of Facebook’s java script on their website where certain information is appropriately labelled.  The java script is then sent to Facebook when a Facebook member makes a purchase on the company’s website.

The Beacon system acts as a tab on the goods and services for the user’s transactions through Facebook “partner” sites. A record is made of a transaction on a partner site and this record of activities is broadcasted to a Facebook user’s friends on the Facebook news feed. Beacon also follows users who click on third party ads inside the Facebook social network and refers the link to the seller sites.

Privacy Issues

The two hypothetical examples below illustrate some of the issues of Beacon with respect to privacy issues.

Example 1: As a way to let travelers tell their Facebook friends about upcoming travel plans, Travelocity implements Facebook’s Beacon on its website. This will allow Facebook users who book on Travelocity, to choose to share that information with their friends on Facebook. This seems like a good idea, as one of the many functions of Facebook is to allow the user to inform family and friends of their experiences and plans. The travel plans are automatically shared with others making it easier for the user, but what if those travel plans are a surprise birthday present or a honeymoon gift? The user in this case certainly did not intend to disclose the information to the recipient, who more than likely is a Facebook friend of the user.

Example 2: Shauna, who enjoys Revlon products, indicates she’s a “fan” of the brand on Facebook. Marketers at Revlon can then purchase Facebook advertising, which will then be displayed on Shauna’s Facebook newsfeed or on ads on her profile. If Shauna purchases Revlon makeup from WeddingChannel.com (a Facebook partner), her newsfeed could indicate links recommending it to her 100 trusted friends. While Shauna has indicated that she enjoys using Revlon products, she by no means provides consents to Revlon to use her Facebook photograph or profile as a means of advertising.  

Facebook’s Response

This controversy brought the attention of online protest groups such as MoveOn.org and privacy advocates whom pressured Facebook to give users a way to opt out of the system. On 2 December 2007, Facebook made a formal apology through their newsletter and web-blog and informed their users that they had removed the ‘Beacon system’ and it will no longer alert a user’s friends about what they do and buy on the site without their permission.

Responding to privacy concerns, Facebook has since moved to reassure users that it only tracks and publishes data about their purchases if they are both logged on to Facebook and have opted-in to having this purchase information listed on their profile.

Privacy Law in Australia

The National Privacy Principles (“the NPP”) in the Privacy Amendment (Private Sector) Act 2000 protects Australian’s personal information and determines how private sector organisations, including some small businesses and all private health service providers handle your personal information.

Under Principle 11, Limits on Disclosure of Personal Information, Facebook is only permitted to disclose a user’s information if Federal Privacy Commissioner is satisfied that:

Case Law

Although there is no case law on social applications such as Facebook or Myspace breaching the privacy principles in Australia, currently in the USA there is a case before the courts that in essence involve the issue of an alleged breach of NPP 11 and websites.

The matter involves Virgin Mobile using a 16 years old girl’s picture without her consent for a commercial bus advertisement with the slogan 'dump your pen friend'. The photograph was taken from the popular website Flickr.com, which allows users to upload, view and share photographs. The family of the girl claimed damages for defamation and under privacy law in the United States (Virgin Mobile USA LLC v Creative Commons Corp [2007]).

Conclusion

The Facebook “Beacon” system, had it continued to be instituted would be similar in circumstance to the Virgin Mobile case, by reason of the lack of consent. In Example 2, we find how Beacon could use a persons profile to endorse certain products by becoming a product “fan”.  Under the NPP 11, this constitutes a breach if consent has not been given by the individual.

While this aspect of law remains relatively untested in Australia, in a press release the Federal Privacy Commissioner on 18 December 2007 addressed concerns about potential privacy risks associated with social networking websites. The Commissioner offers 4 main steps that users need to take to minimise potential privacy risks:

If you have any specific or general questions in relation to this article, please do not hesitate to contact us.