So this is what a privacy audit looks like

2011 may be remembered as the year of the Big Privacy Audit, with the Federal Trade Commission using consent decree powers to commit both Facebook and Google to decades of regular third-party oversight and reporting on privacy. You may not have realized that a very important Facebook audit was already underway, initiated by the Irish Data Protection Commission. Now with the publication of specific requirements from this process (painstakingly cataloged at Techcrunch), we can start to see how privacy audits will work and what it means for users world-wide.

Of the 45 different changes required by the Irish DPC in the audit report, here are a few that I found most interesting:

Limit data collection from social plugins, restrict access to this data, and delete it on schedule, though social plugin data is not currently used in ad targeting – Immediately

Switch from retaining ad-click data indefinitely to a 2 year retention period – Review in July 2012

Anonymize data about a user’s searches on Facebook with 6 months

Anonymize all ad click data after 2 years

Roll out updated granular data permissions dialog box to all applications – End of February 2012, review in July 2012

Educate users on the importance of reading app privacy policies, possibly increase size of links to report an app or view app its privacy policy in the data permissions dialog box – End of February 2012

Implement a tool that determines if links to app privacy policies are live. First, Facebook will asses the technical feasibility of such as tool – Review progress towards implementation in July 2012

Improve system for disclosing data to law enforcement by requiring validation from a senior officer and a full explanation for why the data is needed – Commence in January 2012, review in July 2012

Many of these requirements are more substantive than would be possible under the FTC’s consent decree with Facebook, which is limited (more or less) to ensuring that Facebook doesn’t change its policies in the future without appropriate notice and consent. While Irish authorities can’t bind Facebook to these changes world-wide, as a practical matter it’s hard to see Facebook maintaining significantly distinct versions of the service based on local privacy rules (except perhaps where highly valuable data would be lost). In this way, more stringent requirements from Europe may end up leading the way when it comes to defining best privacy practices and oversight.

This entry was posted in Best Practices, Facebook, Oversight, Pros, Social Network Privacy. Bookmark the permalink.

2 Responses to So this is what a privacy audit looks like

  1. Pingback: How much online privacy do you really have? Less than you think | ZDNet

  2. Pingback: Pioneering Solutions - How much online privacy do you really have? Less than you think

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>