Facebook is conducting a massive user referendum this week, asking its 900 million-plus users to approve or reject changes to its privacy policy that it first proposed on May 13.
Facebook says the result of the vote will be binding if at least 30 percent of active users participate, and “advisory” if that threshold isn’t met. But rather than earning praise for turning to user-friendly bylaws for its so-called data use policy, the company has set off a new round of criticism about its alleged disdain for user privacy.
The unusual vote on proposed changes to Facebook’s privacy policy stems from events that have unfolded in Europe. European law requires corporations to disclose, upon request, any information they hold about individuals. Last year, 24-year-old Austrian law student Max Schrems petitioned Facebook to share with him all the information the company had about him. The dossier he received became the basis of a number of legal complaints he filed with the Irish Data Protection Commissioner’s Office, which has jurisdiction over Facebook Ireland, the company’s headquarters for operations outside North America.
According to Schrems, the dossier revealed that Facebook was violating European law.
The Irish office responded by auditing Facebook Ireland. Under pressure from the commissioner, Facebook agreed to make changes to its data use policy.
When Facebook announced the proposed changes last month, it said that if it received more than 7,000 substantive comments on them, it would hold a referendum. More than 40,000 comments came in, thanks largely to a campaign by the nonprofit that Schrems runs, Europe v Facebook. The nonprofit has amassed a significant following on social media, including more than 5,200 “likes” on Facebook itself, but the biggest influx of signatures came after Schrems appeared on a popular German television show.
Although the vote could be seen as a win for privacy advocates, Schrems described it as a sham.
Schrems said that in its handling of the vote, Facebook effectively “hid the polling center.” The voting, he explained, is not prominently featured on the site. The company also demanded that huge numbers of users comment on its proposed changes in order to trigger a vote, but was then critical of the mass-organizing tactics that Europe v Facebook used to turn out the comments, he said.
Facebook defended its efforts to elicit user feedback.
“To promote the vote, Facebook has served nearly a billion impressions to users, including mobile-only users, and will continue to do so. Once someone votes they can choose to tell their friends they did so in their friends’ News Feeds,” a representative wrote in an email.
U.S.-based privacy advocate David Jacobs, the consumer protection counsel at the Electronic Privacy Information Center (EPIC), was also dismissive of the referendum.
“The notice has been seriously inadequate. As far as I can tell, only members of Site Governance and Facebook and Privacy pages were notified, and the vote is only open for a week,” Jacobs said. “The procedure seems to be flawed, unless the goal is to have a vote that doesn’t really mean much.”
Both European and American privacy groups are advising users to vote against Facebook’s proposed changes. Schrems said the changes don’t do enough to address the potential illegalities flagged by the Irish data protection commissioner. He took a recent ZDNet interview as evidence that the commissioner’s office will demand changes from Facebook even if users approve the new policy.
Gary Davis, deputy commissioner of the Irish data protection office, said in an email that the office was “satisfied with the version presented,” but added, “the privacy policy is only one step in the consenting and engagement process with users, and it is recognized that a move towards the seeking of what we would term ‘in-line’ consent represents a better approach as it seeks a consent from a user for the use of their data at a time when it is relevant.”
Schrems’ group sees the vote as a way for users to communicate to Facebook that they want more privacy protections.
EPIC’s Jacobs said users should vote against the new policies. Voter approval could just entrench practices that don’t really safeguard user privacy, because the new policies are more explicit without offering more protection, he said. That would make them harder to fight. According to Jacobs and other privacy advocates, American laws mainly restrict companies from diverging from what they tell users about their practices with personal data.
Pro-privacy software vendor Abine, which points out a privacy advisory email, is also telling users to vote against Facebook’s proposed changes. The company has suggested that users may lose privacy protections under the new policy.
Unless opponents pull off a last-minute media coup, it seems unlikely that the vote will amount to more than a measure of user sentiment. With voting scheduled to end at 9 a.m. Pacific time on Friday, the total number of voters as of late Wednesday afternoon had not reached even 10 percent of the number needed to make the vote binding. About 85 percent of voters were rejecting the new documents.