Facebook Ireland is under fire for allegedly creating "shadow profiles" on both users and nonusers alike.
The startling charges against the social-networking giant come from the Irish Data Protection Commissioner (IDC), which, Fox News reports today, is launching a "comprehensive" investigation against Facebook Ireland for extracting data from current users--without their consent or knowledge--and building "extensive profiles" on people who haven't even signed on for the service.
Names, phone numbers, e-mail addresses, work information, and perhaps even more sensitive information such as sexual orientation, political affiliations, and religious beliefs are being collected and could possibly be misused, Irish authorities claim.
Interestingly, Facebook users living outside of the United States or Canada are contracted with Facebook Ireland. Facebook users living inside the United States and Canada are contracted with Facebook Inc., headquartered in California. Running afoul of privacy laws is much more likely for companies operating outside of the United States, especially in Europe, where privacy laws are much more stringent.
On August 18, the IDC received a formal complaint against Facebook Ireland made by Max Schrems, a 24-year-old Austrian law student. In June, after attending a talk by a Facebook executive at Santa Clara University in California, while on a study abroad program, Schrems apparently asked Facebook for his data. To his surprise, the company sent him a CD with 1,200 pages--three years worth--of highly personal "deleted" material ranging from friend requests to his history of "Pokes" to lists of people he had "defriended" to entire chat messages.
Schrems, in turn, filed 22 discrete complaints about Facebook to the IDC. That has led to an official "statutory" audit of Facebook Ireland that's going to get underway next week and could possibly lead to "immediate charges" if Facebook is found to be in violation of data protection laws, a representative for IDC told Fox News. Facebook could also be fined up to $137,000 (U.S. dollars) according to the U.K.-based Guardian.
"I'm not saying there was anything criminal or forbidden there, but let's just say that, as someone wanting to work in law, there was stuff which could make it pretty impossible for me to get a job," Schrems was quoted as saying in The Guardian. "By holding on to data its users assumed was deleted, Facebook was acting like 'the KGB or the CIA,' said Schrems.... It's frightening that all this data is being held by Facebook."
In his "Shadow Profiles" complaint, Schrems explains how Facebook goes about eliciting data from users and nonusers:
"This is done by different functions that encourage users to hand personal data of other users and nonusers to Facebook Ireland (e.g., 'synchronizing' mobile phones, importing personal data from e-mail providers, importing personal information from instant-messaging services, sending invitations to friends, or saving search queries when users search for other people on facebook.com)."
"Even commercial users that have a 'page' on facebook.com have the option to import their costumers' e-mail-addresses to promote their page."
"By gathering all this information, Facebook Ireland is creating extensive profiles of nonusers and it is also enriching existing user profiles. This is done in the background without notice to the data subject ('shadow profiles'); the user or nonuser is experiencing only some of the result of these shadow profiles: there are "friend" suggestions by Facebook Ireland based on the information, or nonusers get invitations showing many users that they actually know in real life."
"This means that Facebook Ireland is gathering excessive amounts of information about data subjects without notice or consent by the data subject."
Here is a link to europe v. facebook.org, ironically, a Facebook page devoted to Schrem's attempt to challenge Facebook Ireland. As of this writing, it has only 600 fans.
"The allegations are false," Andrew Noyes, Facebook's manager of public policy in Washington, D.C, said in a statement replying to CNET's request for comment. He elaborated on the company's handling of deleted information, a key aspect of the data infractions cited in the complaint.
"We enable you to send e-mails to your friends, inviting them to join Facebook. We keep the invitees' e-mail address and name to let you know when they join the service. This practice is common among almost all services that involve invitations--from document sharing to event planning--and the assertion that Facebook is doing some sort of nefarious profiling is simply wrong. In addition, Facebook offers more control than other services by enabling people to delete their e-mail address from Facebook or to opt-out of receiving invites."
"Also, as part of offering people messaging services, we enable people to delete messages they receive from their inbox and messages they send from their sent folder. However, people can't delete a message they send from the recipient's inbox or a message you receive from the sender's sent folder. This is the way every message service ever invented works. We think it's also consistent with people's expectations. We look forward to making these and other clarifications to the Irish DPA."