Facebook and Google
Kieng Iv 20233702
Grace Lam 20224242
Chang (Grace) Li 20240147
The two mega Internet companies – Facebook and Google – have millions of users around the world and
have been under public scrutiny for privacy issues. Over the past few years, major privacy issues for
Facebook include the implementation of Beacon software, permanent storage of profile information, and
unauthorized access by third parties, all of which have received criticism from the public and regulatory
The Beacon software disclosed user information despite users changed the settings to opt-out from the
default opt-in. This breach of privacy resulted in Facebook settling for $9.5 million on a class action
lawsuit. The software was eventually shutdown. The second issue discussed related to Facebook storing
profile information indefinitely. Users are unable to permanently delete their information without going
through rigorous process. The third issue involves unauthorized information leaked to third parties even
for users with the highest privacy settings, which was a direct violation of Facebook’s own privacy terms.
Facebook disabled all applications violating its own privacy terms.
The major privacy issues faced by Google were related to Google Street View, the Buzz, and
smartphones. Google Street View inappropriately collected personal information using their Street View
vehicles through unsecured Wi-Fi signals. Google attributed the unintentional act to an internal error and
was ordered by the Office of the Privacy Commissioner to delete all the related data. The second major
issue related to Google is the user outraged caused by default usage of Buzz without an option of opting-
out. After conducting appropriate investigations, the U.S. Federal Trade Commission concluded on
Google violating its own privacy policies. The proposed claim settlement is to have an independent review
of Google’s privacy procedures every two years. In addition to settling a lawsuit, Google also set up an
education fund on Internet privacy. Last but not least, Google has been criticized for collecting mobile
phone locations without the knowledge and consent of the users. Whether this constitutes a breach of
privacy is yet to be determined.
Google responded to privacy issues by Google Dashboard, Data Liberation and in-ad notices, all of which
are designed to allow users to control their privacy settings and to restrict data collected and stored by the
Some recommendations to improve the privacy controls for both companies include adhering to the
respective company privacy policies, informing users of amendments to privacy policies/introduction to
new features in a more transparent manner, and allow users the option of disabling and deleting their
accounts. Due to the large amount of criticism received by Facebook and Google regarding their privacy
issues, in the U.S., regulatory bodies may soon be stepping in to place tighter privacy controls. Therefore,
it is in both companies’ interest to improve their privacy policies to avoid unwanted government regulation
in the future.
Facebook and Google are two mega Internet companies with millions of users around the world. Although
they provide different services to their users, they have both been under the spotlight for the past few
years for infringement of their users’ privacy. This research paper analyzes the privacy issues by both
companies, the public reaction to those issues, as well as the respective companies’ response to the
alleged violations of privacy. Recommendations are made through which Facebook and Google can
improve their privacy controls.
Facebook is a social networking website that currently has over 600 million users. It was founded by Mark
Zuckerberg, the current CEO, and was launched in February 2004. It is often cited as the most popular
and the most visited social networking website in the world.
Facebook collects vast amounts of data from its users and has been under harsh criticism by users,
privacy regulators and governments because of the misuse and use of user data. The three broad
categories of privacy issues faced by Facebook are unauthorized third party access, privacy control and
Issue #1 - Beacon software
In 2007, Facebook developed software called Beacon that extracted data from 44 websites and combined
the data with Facebook’s internal system. This allowed and/or forced users to post purchase information
onto their newsfeed for people in their social network to see. For example, “Fandago users [could] publish
information about the movies they saw” . The system was meant to be used as an advanced target
The system caused controversies with users and privacy advocates because the system would report
online purchases to Facebook regardless of whether users have opted-in or not . As well, the system was
defaulted to be an opt-out instead of an opt-in system which resulted in millions of users using the
software without their explicit consent . Even after opting-out, users’ purchase data on partnering sites
were still being stored by Facebook.
Facebook admitted that the default settings on the system and software implementation were mistakes
and apologized. The default was changed to an opt-in and Facebook allowed users the option to prevent
Facebook from storing data from third party partner organizations . In addition, Facebook reached a
settlement of $9.5 million on a class action lawsuit against the program . As part of the settlement,
Facebook also had to pay $9.5 million “to create a foundation to fund products that promote online
privacy, safety and security” . Finally, Facebook completely shut down the Beacon advertising system.
Issue #2 – Profile Information Permanently Stored
In 2008, it was reported by the New York Times that users can deactivate their accounts but a copy of the
information will be retained on Facebook servers indefinitely. Facebook’s reasoning for retaining the
information is to allow users to reactivate their account with minimal impact. The terms of Facebook at
that time stated that “you may remove your user content from the site at any time, [but you also]
acknowledge that the company may retain archived copies of your user content.”
However, several former users were surprised by the inability to easily remove their account permanently
from Facebook. In order to do so, users must manually delete their information line-by-line. In addition to
removing all the data off the account, users must contact Facebook customer service to have the profile
permanently deleted. One user created a blog titled “2504 steps to closing your Facebook Account” .
Facebook has since implemented a function that allows users to permanently delete their account.
Issue #3 – Third Party Unauthorized Access of User Data
On May 10 , 2011, Symantec reported that there was a security vulnerability to Facebook applications
which allowed third party applications to access user data through a ‘back door’ and to give tokens to
advertisers and analytics companies. Symantec estimated that 100,000 Facebook applications had the
ability to grant access to advertisers to access user data through this backdoor . Facebook stated that it
patched up the security flaw and, upon conducting its own investigation, found that no applications
passed on the back door access to advertisers .
Similarly, on October 18 , 2010, it was reported that many of the most popular Facebook applications
were sending user IDs, the unique identifier for each user profile, to marketing and Internet tracking
companies without authorization. The issue impacted tens of millions of users, including those with the
highest privacy standards, which is a direct violation of Facebook’s own privacy standards. Several
companies that had received the user IDs created databases of Facebook users based on information
available to them such as name, age, residence, occupation and photos. Facebook responded by
disabling all applications violating Facebook privacy terms .
Issue #4 – Government and Regulatory Criticism
Given the many privacy issues Facebook has faced since its inception, it has not had a positive response
from many political and regulatory parties such as the following:
The Korea Communications Commission – The commission criticized Facebook’s method of notifying
users of personal information collected and obtaining consent on the use of data: “Facebook would need
to notify users of the purpose and the period in which the details would be used” .
Canadian Internet Policy and Public Interest Clinic (CIPPIC) – “Privacy Commissioner Jennifer Stoddart
found Facebook in violation of the Personal Information Protection and Electronic Documents Act
(PIPEDA). Canada is now recognized as the first country in the world to issue legally binding
recommendations to the social networking site.” There were 12 issues raised by the CIPPIC, out of
which four were initially dismissed by the Office of the Privacy Commissioner of Canada (OPC) due to
insufficient ground. Facebook made several changes to comply with numerous other issues. For
example, in response to privacy allegations made against default privacy settings, Facebook introduced
“Privacy Wizard”, “whereby users [can] select a low, medium, or high privacy setting. This selection
[dictated] more granular default settings” . Most of the CIPPIC’s concerns are around third party
applications accessing user data and retaining of user information on Facebook server after the user has
deleted his or her account.
The U.S. Senate – Several U.S. Senators stated that they would like Facebook to stop sharing data
automatically with sites such as Yelp.com and Pandora.com. In a letter to the CEO, Mr. Zuckerberg, “the
Senators said the company should allow users to opt-in to such practices, rather than force them to go
through a complicated opt-out process if they do not want to participate.” They expressed that they
wanted the Federal Trade Commission (FTC) to regulate social networks such as Facebook.
Hamburg Commissioner for Data Protection and Freedom of Information – Facebook issues consist of
invitation and email address storage. Currently, users who generate a list of non-Facebook user email
contacts have their list stored on Facebook servers regardless of whether an invite has been sent to that
email address. “Many citizens of the German state of Hamburg have complained in recent months of
Facebook passing their contact information to third parties and storing information about their
relationships in this way” . Facebook faces a fine because storage by third parties is inadmissible . In
addition, it responded by saying that “[Facebook] is not the only social network to offer such friend-finding
functions or to misuse data in this way, merely the largest” .
In merely 13 years, Google has become a household name in every continent. Its mission is “[t]o organize
the world‘s information and make it universally accessible and useful”. However, in trying to organize the
world’s information, Google faces many privacy concerns. Google’s managing product counsel, Mike
Yang had acknowledged that its “mission statement inherently leads to privacy being an issue” . In the
last three years, Google was plagued with privacy violations, most prominently related to Google Street
View, Buzz and their smartphones.
Google Street View
Google Street View was launched in 2007 as a picture-based map that provides a panoramic view of
many streets around the world. Pictures were captured by vehicles equipped with special cameras and
other devices such as GPS. This innovative product was flagged for breaching privacy laws in many
countries and in many ways. One particular violation was the collection of Wi-Fi data without users
According to the OPC, Google breached Canadian privacy law by inappropriately collecting personal
information using their Street View vehicles. Identifiable information such as complete emails, user
names and passwords, telephone numbers, addresses and health details were captured from unsecured
Wi-Fi signals . Google attributed the unintentional act to a “careless error” stemming back from 2006
when a programmer did not forward a program code meant to collect the locations of public Wi-Fi to
Google’s lawyers to review for privacy implications , which was a violation of company policy. Once the
breach was made public, Google admitted to the error on its blog and stated it will cooperate fully with the
OPC in the investigation. Google was ordered to have all data deleted by February 1 , 2011, as well as
designating an individual to be responsible for ensuring the company’s compliance with privacy laws and
to provide privacy training to employees. The public reacted negatively to the news; although some
individuals such as Michael Geist, the Canada research chair in Internet and e-commerce law at the
University of Ottawa, said Google reacted “more responsive than a lot of other companies” .
(Horkay & Levitz, 2010)
(Google Breached Canada's Privacy Laws, 2010)
(Horkay & Levitz, 2010)
Buzz is a Twitter-like application that is integrated with Gmail and many other online services that allows
users to post messages on a public forum. The application was introduced in 2010 and was added to a
user’s Gmail without his or her consent; the user did not have the option to opt-out. The user’s Gmail
contacts were automatically added to Buzz and this caused user outrage as their privacy was comprised.
In the U.S., a complaint was filed by a Washington-based advocacy group called the Electronic Privacy
Information Centre to the FTC. The group asked the FTC to investigate whether Gmail users’ privacy was
comprised when their email contracts were automatically added to Buzz. Upon completion of the
investigation, FTC stated that Google “led Gmail users to believe that they could choose whether or not
they wanted to join…[but the] options for declining or leaving the social network were ineffective.” In
addition, the privacy controls Google set up were “confusing and difficult to find” . On a general basis,
FTC concluded Google violated its own privacy policies. As of March 2011, the proposed claim
settlement, which doesn’t constitute as a fine, was to have an independent review of Google’s privacy
procedures every two years. Google responded to the claim by posting “[w]e don’t always get everything
right…The launch of Google Buzz fell short of our usual standards for transparency and user control.” In
Canada, the OPC stated in a letter to Google that Buzz violated the fundamental principle that individuals
should be able to control their personal information.
In November 2010, Google settled a group lawsuit brought by Gmail users who claimed the exposure in
Buzz invaded their privacy. Google also agreed to set up an $8.5 million fund to finance Internet privacy
Currently, Google and Apple Inc. are both under scrutiny for collecting mobile phone locations without the
knowledge and consent of the users. It has yet to be determined whether this is a breach of privacy. Both
companies have agreed to testify at the May 10 , 2011 Senate Judiciary committee’s privacy hearing .
The hearing is lead by Senator Al Franken. The willingness of Google to testify affirms that the company
is indeed placing privacy as a concern on its corporate agenda.
Additional Responses by Google
In light of the numerous privacy issues, Google responded by launching Google Dashboard, Data
Liberation and in-ad notices. These services are designed to allow users to control their privacy settings
and to restrict data collected and stored by the company. There are people that sympathize with Internet
companies regarding the difficult situation privacy regulation causes. For example, Daniel Weitzner, an
(Angwin & Efrai, 2011)
Internet policy official at the U.S. Commerce Department, stated that Internet companies are bombarded
with too many privacy rules spanning dozens of jurisdictions .
Both Facebook and Google have been under public and regulatory scrutiny for the past few years on
privacy issues. While many amendments have been made to their respective systems, there are still
unresolved issues that are watched closely by users of Facebook/Google and regulatory bodies. The
following paragraphs outline some relevant and feasible recommendations based on Facebook and
Google’s respective privacy issues.
The first and foremost recommendation is for both companies to adhere to their own privacy policies.
Facebook violated its privacy policies by distributing user IDs without user authorization while Google did
not provide an effective means for users to opt-out of the Buzz . The privacy policies that are set in
place represent boundaries placed by the companies themselves. Even adhering to their policies are not
enough to protect users privacy, let alone falling short of it; stepping outside of the boundaries will result
in a loss of user confidence and severe public criticism. As an example of following its privacy policies,
Google should ensure that programmers forward codes related to data collection to its lawyers to review
for privacy implications, preventing unintentional data collection such as the one occurred in 2006 .
Although both companies have been amending their systems continuously due to constant public
criticism, with the introduction of new features, more privacy issues arise, especially around user consent
for newly introduced features. Instead of having regulatory bodies playing “catch” with Facebook and
Google, they should make sufficient disclosure to users before opting them in for any new features. When
a user logs into his or her account, if there has been any amendments to existing privacy policies, the
users should be notified by a pop up window before proceeding to their account information. If a new
feature is involved, there should be an opt-in and an opt-out button along with the pop up window so
users are given the option right from the outset instead having to opt-out later when the fault is set to
There may be instances where Facebook or Google would not realize security issues until they are
brought up by users. While users can help the companies to identify issues and improve their privacy
controls, Facebook and Google should not wait for nor rely on users to discover any privacy breach.
Thorough testing should be performed before launching any new features to prevent user outrage from
too many instances of patching up issues after the feature releases. This objective may be achieved
through test runs with a subset of users by forming a focus group, if feasible, before the settings are
applied to millions of Facebook users.
(Horkay & Levitz, 2010)
(Google Breached Canada's Privacy Laws, 2010)
For new users of Facebook and Google, before allowing the users to declare that they have “read the
terms and conditions”, perhaps the companies should have a “pop-quiz” in multiple choice format to
pinpoint important aspects of their respective privacy policies. Due to the popularity of Facebook and
Google, this extra procedure probably would not deter a user from signing up a new account. Some may
While this may be true, at least the companies will be viewed as making an effort to present their privacy
policies in a much more transparent manner, of which companies are often criticized.
Specifically to Facebook, if a user decides to delete his or her account, Facebook should perform the
responsibility of deleting user data permanently instead of having the user to delete his or her information
on a line-by-line basis . One recommendation is to move all the data associated with users who have
deleted their accounts to a separate server on a daily basis. All information stored on the server can then
be purged regularly and frequently. According to Facebook, the purpose of retaining user information is to
allow users to reactivate their account with minimal impact. Facebook can still achieve this purpose by
adding a “disable account” function: users who simply want to resume onto Facebook at a later date can
choose this function instead of deleting all their information completely. In addition, Facebook can learn
from Google whose Dashboard has been praised as more of an effective means “to get advertisers to
adhere to principles” . A similar feature will help improve Facebook’s data storage transparency to its
Implementing one or a combination of the above recommendations may hurt the revenue of these two
advertising-driven businesses. However, in the long run, tighter privacy controls will improve the
companies’ relationship with users and regulatory bodies. The U.S. is already working on producing“a
privacy bill of rights “giving American consumers greater control over how their information is collected
and used by digital marketers” . It will likely “to give a broader role to the [FTC], which will almost
certainly be charged with deciding how those principles are translated into practice and with policing their
implementation” . The less effective the privacy policies based on self-regulation of Facebook and
Google the more stringent the FTC will be when this bill passes. Therefore, it is in favour of both Internet
companies to improve their privacy policies to avoid unwanted government regulation in the future. In
addition, this bill could also help Facebook and Google in “their dealings with the European Union.” EU
is tightening its “already fairly strict rules on privacy--which it considers a fundamental human right” .
With stricter privacy controls imposed by the companies themselves and through the FTC, it will save
Facebook and Google time in dealing with the EU in handling Europeans’ online data.
Angwin, Julia; Efrati, Amir (2011, March 31). Corporate News: FTC Penalizes Google --- Settlement Over
Buzz Data Sharing Includes Privacy Audits. Retrieved May 13, 2011, from The Wall Street Journal: page
Anonymous. (2009, December). DMA: Putting best practice before regulation of data industry. Data
Strategy, 8. Retrieved May 18, 2011, from ABI/INFORM Global. (Document ID: 1951698291)
Anonymous. (2011, March 11). Business: Stopped in their tracks; Online privacy. The Economist, 72.
Retrieved May 18, 2011, from ABI/INFORM Global. (Document ID: 2297561821)
Anonymous. (2010, October 19). Google breached Canada's privacy laws. Retrieved May 13, 2011, from
CBC News: http://www.cbc.ca/news/technology/story/2010/10/19/google-street-view-privacy.html
Aspan, M. (2008, February 11). How Sticky Is Membership on Facebook? Just Try Breaking Free.
Retrieved May 16, 2011, from New York Times:
May 17, 2011, from ABI/INFORM Global. (Document ID: 2020775121).
Davidson, D. (2009, September 21). Media Week. Retrieved May 17, 2011, from RIP Beacon: Facebook
set to terminate ad service in $9.5m settlement: http://www.mediaweek.co.uk/news/939650/RIP-Beacon-
Denham, E. (2009). Report of Findings into the Complaint Filed by the Canadian Internet Policy and
Public Interest Clinic (CIPPIC) against Facebook Inc. Under the Personal Information Protection and
Electronic Documents Act. Retrieved May 19, 2011, from Office of the Privacy Commissioner of Canada:
Engleman, Eric. (2011, April 28). Google, Apple to Testify on Mobile Privacy, U.S. Lawmaker Says.
Retrieved May 13, 2011 from Bloomberg.com: http://www.bloomberg.com/news/2011-04-28/google-
Fowler, G. A. (2011, May 11). Congressmen Press Facebook On Privacy (Again). Retrieved May 16,
2011, from The Wall Street Journal: Congressmen Press Facebook On Privacy (Again)
Fowler, G. A. (2011, May 11). Congressmen Press Facebook On Privacy (Again). Retrieved May 16,
2011, from The Wall Street Journal: Congressmen Press Facebook On Privacy (Again):
Horkay, Alex; Levitz, Stephanie. (2010, October 19). Google accidentally mapped much more than
addresses, says privacy boss. Retrieved May 13, 2011, from The Toronto Star:
Kavur, J. (2009, August 19). Canada takes leading role in Facebook privacy issues. Retrieved May 17,
2011, from it World Canada: http://www.itworldcanada.com/news/canada-takes-leading-role-in-facebook-
Malik, O. (2007, November 6). Is Facebook Beacon a Privacy Nightmare? Retrieved May 15, 2011, from
Rivington, J. (2007, December 6). Facebook Spying scandal comes to an end. Retrieved May 15, 2011,
from techradar.com: http://www.techradar.com/news/internet/web/facebook-spying-scandal-comes-to-an-
Rivington, J. (2007, December 3). Is Facebook spying on its users? Retrieved May 15, 2011, from
Sayer, P. (2010, July 8). Facebook faces fine form German Privacy Regulator. Retrieved May 17, 2011,
Song Jung-a. (2010, December 10). Seoul push on Facebook privacy. Financial Times,25. Retrieved
May 17, 2011, from ABI/INFORM Global. (Document ID: 2209402071).
Steel, E. (2010, October 18). Facebook Privacy Breach. Retrieved May 17, 2011, from The Wall Street
White, Aoife. (2011, March 23). Google, Internet Companies Face Too Many Privacy Rules, U.S. Official
Says. Retrieved from Bloomberg.com: http://www.bloomberg.com/news/print/2011-03-23/internet-firms-