No evidence Facebook shares personal information with other sites via social plug-ins, investigation finds

PIPEDA Report of Findings #2011-006

---

Summary

The complainant alleged that Facebook was using social plug-ins, such as its “like” and “recommend” buttons, to share his personal information without his knowledge and consent. In particular, it was alleged that third-party websites hosting Facebook’s social plug-ins were collecting personal information of Facebook users without their knowledge and consent.

Following an investigation, our Office determined that the complaint was not well-founded.

Our Office’s investigation determined that Facebook, while effectively “renting space” on third party websites, was not sharing the personal information of its users with organizations hosting social plug-ins. While no specific mechanism exists for Facebook members to “opt-out” of receiving personalized content from third party sites using Facebook plug-ins, members may avoid the delivery of personalized content by logging-out of their Facebook accounts prior to visiting sites hosting Facebook plug-ins.

It was the view of this Office that Facebook was providing individuals with clear and easy to read information explaining how social plug-ins operated on its site, including the fact that information was not being shared with third party sites hosting its social plug-ins.

The OPC’s investigation was limited to a review of the information sharing between sites hosting Facebook’s social plug-ins, and did not include an examination of the use of cookies for web tracking.

Report of Findings

Complaints under the Personal Information Protection and Electronic Documents Act (the Act)

1. The complainant alleged that Facebook, Inc. (“Facebook” or the “respondent”) is collecting, using and disclosing his personal information without his knowledge and consent through the use of social plug-ins (i.e., web-enabled scripts on third-party sites which provide personalized content to Facebook users).

2. The complainant also alleged that third-party web sites hosting Facebook’s social plug-ins are collecting, using and disclosing the personal information of Facebook users without knowledge and consent.

3. The complainant’s concerns centre around the data flows between Facebook and third-party websites that host Facebook social plug-ins. The complainant is concerned that by providing customized content in plug-ins, Facebook is providing information to those websites and the other websites are transmitting information to Facebook. The complainant believes that he ought to have the option to opt-out of any such exchange of information.

4. Given the nature of the complaint, our Office also looked at the information collected by Facebook from all visitors to third-party websites with social plug-ins, including individuals who were not Facebook members.

Background

5. On April 21, 2010, Facebook expanded its social-networking tools to provide third-party websites with the ability to customize the web-viewing experience of its users through the provision of social networking data. This is done in large part through Facebook’s use of social plug-ins, which allow a user to view content derived from their Facebook profile on another website.

6. As described by Facebook, social plug-ins are “buttons and boxes designed to display certain Facebook functionality on third-party websites”. Examples of social plug-ins include the “Like” or “Recommend” icons.

7. An individual’s experience when visiting a website with a social plug-in will vary, depending on whether the individual is a Facebook user, and whether he or she is logged-in to his or her Facebook account. A Facebook member logged-in to his or her account may see personalized content in the social plug-in that highlights any activity that his or her friends may have initiated on that site, such as recommending a news article on a news website.

8. However, non Facebook members, or a member who is not logged-in to Facebook, will only see non-personalized content within the social plug-in. For example, they may see how many Facebook members have recommended a certain article on a news website.

9. Since Facebook’s inception of social plug-ins a little over a year ago, Facebook estimates that there are over 2 million websites using them.

Summary of Investigation

10. In response to the allegations, Facebook maintains that it does not disclose any personal information to websites that host social plug-ins, whether in respect of users or non-users of Facebook.

11. Facebook explains that, technically, a social plug-in is contained within an “iframe” on websites that host the social plug-in, which causes the user’s web browser to retrieve the contents of the iframe directly from Facebook. Facebook likens an iframe to a piece of real estate that the third party site has provided to Facebook. The social plug-in acts as a portal to Facebook for the user, but it does not provide the third party site hosting the plug-in with any access to Facebook user data.

12. We reviewed the technical representations provided by Facebook and the functionality of iframes. Anytime a user visits a website with an iframe containing external content, such as a Facebook plug-in, his or her web browser sends a request to that website’s web server for that content. For example, a news website may have a Facebook social plug-in which tells the user’s browser that additional content for the page is found at facebook.com. The user’s browser then sends a request to Facebook’s web server to retrieve the requested content for the user.

13. In each case, the respective web server will receive a request for a file and send the requested content back to the computer requesting the file. If a user is logged-in to Facebook when visiting the news website, Facebook’s iframe will load with personalized content gathered from the Facebook user’s profile. This information does not travel to the news website but rather directly from Facebook to the user.

14. In response to the collection portion of the allegation, Facebook confirms that it receives log level data every time a user visits a website that hosts a social plug-in. According to Facebook, this “impression” data consists of:

• the date and time a visitor visited the web page;
• the address of the webpage the visitor is visiting (otherwise known as the referrer URL);
• the visitor’s general geographic location;
• the visitor’s browser cookie id;
• the Internet Protocol (IP) address associated with the visitor’s computer; and
• the browser and operating system being used by the visitor.

15. For users that are Facebook members and logged-in to Facebook at the time they visit a website with a social plug-in, Facebook also logs their Facebook user id. Facebook requires the user id in order to customize the content of the social plug-in for that particular user. For instance, it can then populate the plug-in with information about the user’s friends’ recommendations on that site. Facebook stated that if a user is not logged-in to Facebook, then it does not receive the user id.

16. As noted by our technical experts, Facebook logs all content requests by default, which is common practice amongst online content providers.

17. In the course of our investigation, our experts also reviewed the types of cookies present in traffic between Facebook and sites that host social plug-ins. In particular, we examined the cookies that Facebook sets when a user interacts with a Canadian news website. Our technical experts noted two cookies in particular, both of which could be used to provide Facebook with information about a user’s visit to a site with a social plug-in. These cookies are a session cookie named “presence”, and a persistent cookie named “datr”. In examining the presence cookie in greater detail, our technical experts noted that Facebook received a member’s user id even if they logged-out of Facebook but did not close their browser. This revelation appeared to contradict Facebook’s assertion that if a user logs out of Facebook, it will not log the user id.

18. Upon discovering the above, we shared our findings with Facebook and allowed the company to review our test results. Facebook identified a bug in its software which appeared to prevent the deletion of the “presence” cookie upon a user’s logout. Facebook has since fixed the bug and our IT experts have confirmed that the presence cookie is now appropriately deleted upon a user logging-out of a Facebook session.

19. Concerning Facebook’s persistent cookie “datr”, our IT experts confirm that it is sent back to Facebook for all visits to pages with social plug-ins. Facebook states that the “datr” cookie consists of a timestamp, a random number and an authorization code. The information generated by the “datr” cookie could be linked to other information Facebook has collected in its logs, including an IP address. Because the “datr” cookie persists for up to two years, it may serve to track browsing habits for anyone that visits a site hosting a social plug-in. Conceivably, Facebook could link these browsing habits to identifiable Facebook users.

20. We addressed these concerns with Facebook and asked about the purpose of the “datr” cookie. Facebook clarified that the “datr” cookie, which they term a “machine” cookie, is used to detect malicious or spamming activity and is a core component of their online security strategy. The cookies allow web servers to detect when web or content requests originate from a single physical machine. Facebook states that for logged-in Facebook users, the machine cookie can be associated with a Facebook user’s account. The association is used to determine whether an individual is actively using Facebook from a particular machine. According to Facebook, once a user has properly logged out, the company does not associate the machine cookie with the user’s Facebook account. Facebook confirmed with our Office that it does not track data about Facebook members’ or non-members’ use of the web through its social plug-in, other than the limited log level data it receives about users’ interactions with a social plug-in.

21. We asked Facebook how it uses impression log data, which includes the IP address for all individuals and the user id for logged in Facebook members. According to Facebook, once collected, information retrieved from Facebook’s web servers is aggregated and retained for 90 days. It states its current practice is to “de-identify” the impression log data by stripping the user id from the data within the first 30 days following its collection. It then uses the impression log data in a de-identified form to create aggregated metrics. According to Facebook, the log-level data of non-Facebook members who visit a site with a social plug-in is in non-identifiable format.

22. Facebook states it uses the information that it gains through analysis of log level data to determine how the plug-ins are working and to improve user experience. For instance, Facebook will look at the number of impressions or top domains of different demographics. Facebook insists this use of log level data to create aggregated information is consistent with normal industry practice.

23. Statistics derived from de-identified and aggregated log data may also be shared with Facebook’s product partners. Such information may include, for example, bucketed demographic information on the type of users who interact with a certain plug-in on any given site. While actual log level data is deleted after 90 days, statistical information is kept longer.

Analysis and Findings

July 28, 2011

24. In making our determination on this issue, we analysed the meaning of the term “personal information”, which is defined under subsection 2(1) of the Act as meaning information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.

25. We also applied Principle 4.3. of Schedule 1 of the Act. Principle 4.3 states that an individual’s knowledge and consent are required for the collection, use, or disclosure of their personal information, except where inappropriate.

26. At issue is whether Facebook collects, uses or discloses the personal information of a visitor to a third-party website which hosts a Facebook social plug-in, without the knowledge and consent of that visitor.

27. With respect to the issue of whether Facebook discloses personal information to third-party websites without knowledge and consent, while Facebook’s social plug-ins allow for the delivery of customized content, our investigation confirmed that the plug-ins, as designed and operating, do not share personal information with third-party websites. Facebook has stated that it may share metrics derived from the log level data it receives through social plug-ins; however, is the metric information is sufficiently anonymized and aggregated to ensure that individuals cannot be identified.

28. We note further that where plug-ins provide personalized content, they do so only for Facebook users who are logged-in to the site. A user who does not wish to receive personalized content can log out of Facebook prior to accessing websites with social plug-ins.

29. However, for every visitor to a website containing a social plug-in, whether the visitor is a Facebook user or not, Facebook collects certain information generated from the visitor’s visit to the third-party website in question, known as log-level “impression” data. As mentioned above, such information includes the date and time a visitor visited the web page, the referrer URL, the visitor’s general geographic location, the visitor’s browser cookie id, the IP address associated with the visitor’s computer, the browser and operating system being used by the visitor, and with respect to Facebook users logged-in to their account, their Facebook user id.

30. Such information can constitute personal information under the Act where there is a serious possibility that an individual can be identified through this information, either alone or with other available information. With respect to Facebook users logged into their account, the log level information collected by Facebook constitutes the personal information of the Facebook user in question.

31. This Office has previously found that an IP address can be considered personal information in certain circumstances, including where it can be associated with an identifiable individual.^{Footnote 1}

32. With respect to non Facebook members, or members logged-out of Facebook, Facebook states that the IP address is non-identifiable. In these two circumstances, we have not uncovered any evidence to indicate that Facebook does, or has the capacity to, link the IP address they collect to an identifiable individual. Therefore, with respect to non-Facebook users, or Facebook users who are logged-out, Facebook is not collecting or using personal information with respect to these individuals in the circumstances of this complaint.

33. However, with respect to Facebook users who visit sites with social plug-ins while logged-in to their accounts, Facebook collects that user’s Facebook user id. This information allows Facebook to clearly identify an individual and would be considered personal information under the Act. Likewise, all the other “impression” data generated where a Facebook user who is logged-in visits a website with a social plug-in constitutes personal information under the Act, including the IP address.

34. Although there is no express way to opt-out of this collection and use of personal information, users can log out of the site before browsing the web to avoid having their personal information logged by Facebook.

35. In Facebook’s view, users implicitly consent to the collection of certain technical data when they interact with a website. Our Office agrees that the basic mechanisms of web communication require this transmittal of information and users do implicitly consent to it. However, to the extent that such data constitutes personal information, as is the case for the log level information collected from a Facebook user while logged in, Facebook needs to ensure that the collection and use of personal information is explained to users in a clear and understandable manner in order to ensure knowledge and consent.

36. This brings us to the notification provisions and the information that Facebook and its partners hosting social plug-ins provide to users. As part of our investigation, we reviewed Facebook’s privacy policy and Help Centre notices. In doing so, we considered the quality and completeness of their notice provisions vis-à-vis social plug-ins and whether or not such provisions were sufficient in allowing for knowledge and consent. While the nature and function of social plug-ins may be difficult to understand, our Office is of the view that Facebook has endeavoured to inform its respective users of its plug-ins’ operation in a clear and understandable manner. Facebook users who select the “Privacy” link located at the bottom of each Facebook page are provided with a short explanation of social plug-ins. At the time of our investigation, it stated:

Buttons and boxes containing Facebook content may appear on other websites to create more social experiences for you. The sites you’re visiting receive none of your information. The content in these plugins comes directly from Facebook.

37. From that page, one can also access a short animated video which describes social plug-ins. It, too, advises members that no information is shared with third party websites.

38. Users can also obtain information on Facebook’s use of personal information in social plug-ins by reviewing the company’s frequently asked privacy questions (“Privacy FAQ”). This link brings a user to Facebook’s Help Centre which contains more detailed information about social plug-ins. Within this section, Facebook provides detailed responses to questions such as:

• What Information does Facebook receive about me when I visit a website with a Facebook social plug-in?
• How do I opt-out of viewing social plug-ins?
• If I visit a site that uses social plug-ins but don’t interact with them, has any information been shared about me?

39. We found Facebook’s privacy FAQs relating to the use of social plug-ins to be satisfactory and easy to read. Central to each response is the assertion that Facebook does not share or sell the information collected by the company when a Facebook user visits a website with a social plug-in.

40. Facebook’s privacy policy provides basic details about its collection of access device and browser information, its use of cookies when individuals interact with “widgets” and that it uses information it collects to “manage the service”.

41. Overall, we are of the view that Facebook is currently adequately describing social plug-ins in order to obtain informed consent for the collection and use of personal information of Facebook users, where they are logged-in, when they visit a third-party website hosting a social plug-in. In all, we are of the view that Facebook has provided users with sufficient information related to their use and operation every time a user visits a site with a social plug-in.

42. Based on the above, we find the complaint to be not well-founded.