Facebook’s Data Privacy Scandal Extends to Canada: 600K Users, 10 Years and Counting

By: Lee Rickwood

April 13, 2018

Facebook shares the personal information of its users. And third-party developers create games and quizzes running on Facebook that violate Canadian privacy law. That’s what the Office of the Privacy Commissioner of Canada says.

That may not sound so surprising, considering all the reports about Facebook, Cambridge Analytica and so-called data privacy that fill the news these days.

But Canada’s Privacy Commissioner cited Facebook’s data privacy violations ten years ago!

The popular social media site has again come under much scrutiny, criticism and complaint recently with word that its platform can and has been misused by outside data miners who have both access to and the ability to harvest data from Facebook user profiles.

bar graph shows Facebook's Data Privacy Scandal Extends to Canada

Facebook has released data (purposely in this case) that shows more than 600,000 Canadian users may have had their data “improperly shared” as part of the current global data privacy scandal.

The number keeps growing, but it may be more than 87 million users around the world this time; Facebook has released data (well, purposely in this case) indicating that more than 600,000 Canadian users may have had their data “improperly shared” as part of the current global data privacy scandal.

In response, the current Office of the Privacy Commissioner of Canada has opened an investigation.


“We have received a complaint against Facebook in relation to allegations involving Cambridge Analytica and have therefore opened a formal investigation,” Commissioner Daniel Therrien recently announced.

The extremely important privacy questions to be investigated now echo those raised in 2008.

In a complaint filed with the Privacy Commissioner back then, and published by the Information Resources Management Association, Canadian Jordan Plener (then a law student, now an attorney with a global law firm) noted that a key privacy concern  was “the way Facebook shares the personal information of its users with third party software developers who create games and quizzes and other apps that run on its network.”

Sound familiar?

That description matches almost perfectly the methodology allegedly followed by the U.K. researcher Aleksandr Kogan, who conducted a survey on Facebook which some 270,000 people completed in 2016.

Filling out that survey, in turn, seems to have led to the unauthorized ‘scraping’ of the data associated with some 87 million Facebook user accounts. That data, in turn, seems to have been shared with U.K.-based data analytics and social microtargeting company Cambridge Analytica.

Ten years ago, when the Canadian Privacy Commissioner issued its findings about Facebook’s data privacy and sharing practices being contrary to our privacy law, the then assistant privacy commissioner was Elizabeth Denham. She would go on to become B.C.’s provincial privacy commissioner, and as if in a script written in Hollywood, she is now the U.K. Information Commissioner.

“We found that, although Facebook provides information about privacy issues, it is often confusing or incomplete,” Denham said at a Canadian news conference back in 2009.

Users should be able to opt out of actions that could lead them to lose control over their personal information, she added back then, warning that in some cases the information could be used not just for marketing purposes, but identity theft.

Or, as many now suspect, fixing elections.

Cambridge Analytica is a consulting and research firm, known for combining its data analysis and strategic communications expertise with political objectives.

CA has been connected with other companies and firms engaged in similar activities, including data mining for political microtargeting and behavioural persuasion purposes. Among them a small Canadian tech firm called AggregateIQ. For more than a year, reports have connected AIQ with CA.

In fact, Denham is again investigating Facebook and its data leakage issues, including the Cambridge Analytica/AggregateIQ angle, but this time from the U.K. She has already received and executed a search warrant of Cambridge Analytica as part of her current investigation, and she noted in a blog posting that some 30 organizations will be looked at, including AggregateIQ

In the U.K, the Information Commissioner can not only conduct such investigations, but the office can take enforcement actions if needed.

Meanwhile, here in Canada, another investigation. Or two.

The Office of the Privacy Commissioner of Canada, as well as its provincial counterpart in B.C., is investigating Facebook and AggregateIQ.

They will jointly look at whether the companies broke federal and provincial personal privacy rules.

Personal Data Protection and Wedding Vows – Should We Say “I Do” or “I Don’t”?

The Privacy Commissioner of Canada Daniel Therrien. Photo by Dave Chan.

“If true, the allegations raise a major challenge for privacy rights. We have recommended strengthening Canada’s private sector law in order to help strengthen consumer trust,” Commissioner Therrien said. “We will remain in contact with the U.K. office and will work with other data protection authorities as appropriate. Ultimately, our goal is to ensure that the privacy rights of Canadian Facebook users are protected.”

That was the goal ten years ago.

And at least 600,000 users ago.

There’s no word on a timetable for the Privacy Commissioners’ investigations, but here in Canada at any rate, even an investigation that might find serious violations could have its hands tied behind its back.

As the Privacy Commissioner himself has noted, his office needs some real power built into its privacy protection toolkit, such as the ability to impose “substantial financial penalties” on companies that misuse the personal information they collect.

The Office should be able to issue binding orders about privacy-protecting activities (or the lack thereof); right now, his Office can only make recommendations – recommendations that companies can ignore if they desire.

As they have for, like, ten years now?


Like this article?   More under Tag Security

Leave a Reply

Your email address will not be published. Required fields are marked *