Skip to main content
Find a Lawyer

On Facebook Forever? Why the Networking Site was Right to Change its Deletion Policies, And Why Its Current Policies Still Pose Privacy Risks


Friday, Feb. 29, 2008

Has Facebook become like the Hotel California, where "you can check out any time you like, but you can never leave"? Until recently, that was how it felt to Facebook users who wanted to remove themselves, but found the process was neither quick nor straightforward.

Facebook used the term "deactivate" in its privacy policy, and "deactivation," it turned out, was not the same as deletion. Instead, Facebook would keep material stored in case users later wanted to reactivate their accounts. Thus, the site reportedly warned users that "[r]emoved information may persist in backup copies for a reasonable period of time," and "[e]ven after removal, copies of user content may remain viewable."

In light of recent criticisms in the blogosphere, however, Facebook has wisely changed its policy. It now allows users to remove themselves and their data from Facebook with a single email request.

In this column, I will examine Facebook's prior policy, and analyze whether it was legal. I will also consider other facets of Facebook's data retention and privacy policies. Finally, I will argue that users need to be more cautious about signing up for social networking sites because, on such sites, their privacy cannot be fully guaranteed.

The Ordeal of Removal, and Facebook's Change of Rules

Under Facebook's previous rules, the lack of a single-step method of account deletion surprised and outraged many users. For instance, many people wanted to quickly be able to erase embarrassing or overly personal online profiles from their student days as they entered the job market, for fear employers would locate the profiles - yet Facebook's previous rules made that impossible.

Commenting on the prior Facebook policy, technology consultant and blogger Stephen Mansour recently wrote an article entitled "2054 steps to closing your Facebook account" that recounted his own lengthy process to get his account permanently removed from Facebook. To illustrate his point, Mansour posted a copy of his email correspondence with Facebook on his blog. Mansour recounted how, after contacting Facebook and requesting that his account be deleted, he was instructed to manually delete every single piece of information that he had posted on the site - including mini-feed items, friends' postings, wall writing and the like. He noted that not only was the process cumbersome, but it was not made clear on Facebook's site. Moreover, it was only after this process, he recalls, that Facebook would begin deleting his account. (Mansour pointed out that, in contrast, other sites such as Myspace and Flicker had simple removal processes.)

Mansour's blog posting prompted a Swedish Facebook user, Magnus Wallin, to form a Facebook group called "How to permanently delete your Facebook account."

Facebook, in response, has made the process a bit clearer and simpler. In mid- February, Facebook updated its help pages to answer the question "How do I delete my account?" Its answer reads as follows: " If you do not think you will use Facebook again and would like your account deleted, we can take care of this for you. Keep in mind that you will not be able to reactivate your account or retrieve any of the content or information you have added. If you would like your account deleted, please contact us using the form at the bottom of the page and confirm your request in the text box. "

Facebook's Prior Rules Were Legal in the U.S., But Perhaps Not in the EU

Facebook users were right to be concerned about the original distinction between deactivation and deletion. While storing the data was legal - at least in the U.S. - it also could be harmful to the user, if a third party gained unauthorized access. Thus, users were right to push for new rules and new options.

In Europe, it is possible that Facebook may have violated the law by deactivating, rather than deleting accounts. The UK Data Protection stipulates that companies should not retain data for longer than is necessary. And in January of this year, it was reported that Facebook was reportedly facing an investigation by the UK Information Commissioner's Office based on complaints from users who say their profiles were not properly deleted.

Reportedly, a spokesperson from that office commented, "Many people are posting content on social networking sites without thinking about the electronic footprint they leave behind." Arguing that websites should "take some responsibility," the spokesperson said that such sites "should ensure that personal information is not retained for longer than necessary especially when the information relates to a person who no longer uses the site."

Why Users of Social Networking Sites Can Never Count on Posted Information Totally Disappearing from the Web

Unfortunately, even true deletion of a profile by Facebook is unlikely to address users' concerns about embarrassing information remaining accessible. Information may be cached outside Facebook, or simply saved by an individual who views it.

Thus, Facebook has posted the following warning to users: "When you use Facebook, certain information you post or share with third parties (e.g., a friend or someone in your network), such as personal information, comments, messages, photos, videos, Marketplace listings or other information, may be shared with other users in accordance with the privacy settings you select. All such sharing of information is done at your own risk. Please keep in mind that if you disclose personal information in your profile or when posting comments, messages, photos, videos, Marketplace listings or other items, this information may become publicly available."

College and even high school students thus may want to beware of what they post, for it may impede their ability to gain employment five or even ten years in the future.

Other Facebook Policies that May Cause Users Concern

Most savvy Internet users will be well aware of the risks of copying and caching information posted on Facebook and similar sites. But they may not be aware that Facebook reserves the right to supplement user profiles with information it collects from other sources. In other words, on Facebook, users may not even have full control over their own profiles.

Facebook's policy on this issue reads as follows: "Facebook also collects information about its users from other sources and this information may be added to a profile We may use information about you that we collect from other sources, including but not limited to newspapers and Internet sources such as blogs, instant messaging services, Facebook Platform developers and other users of Facebook, to supplement your profile." Granted, users can request that this NOT be done - but they may only be aware of the risk if they have carefully read Facebook's privacy policy.

Finally, as the Electronic Privacy Information Center (EPIC) has pointed out, those users who install third-party applications - which the Facebook Platform allows -- also face privacy concerns. When someone installs an application, the application (program) can "see" or retrieve the same information the user can see. Normally, a user can restrict the information that other Facebook members can see, based on privacy settings. But when the user installs an application, the owner of the application is free to retrieve ,examine and possibly misuse a Facebook member's information. Users cannot restrict the data that an application provider sees. The Facebook Terms of Use agreement prohibits application developers from doing such things. But as EPIC and others note, Facebook has no way of stopping them if they do collect or use Facebook data.

In sum, users who think that simply removing their Facebook profiles will protect their privacy should think again. Until Facebook changes other rules, serious privacy risks will persist on the site.

Anita Ramasastry is a visiting professor at the National University of Ireland - Galway and an Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. She has previously written on business law, cyberlaw, computer data security issues, and other legal issues for this site, which contains an archive of her columns.

Was this helpful?

Copied to clipboard