Social Media Privacy Policies Come With Unexpected Loopholes

By Cameron Scott 

online privacy, digital privacy, social media, social networks, pinterest, facebook

sharpner /

By now, most users think they know the social privacy media privacy landscape, but a Canadian research project found some surprising loopholes in the companies’ privacy policies.

We expect online services to collect user data and access it to serve advertising, but we’ve also come to expect that the services will release only general information about users to third parties. A company might tell an advertiser, for example, about a male user in San Francisco in the 25-45 age group, but they wouldn’t identify that user by name, email address or race.

Except when they would, a University of Victoria project found. Among the major social networks, just Google and Foursquare said straightforwardly that they do not share personally identifiable information, or PII, with third parties.

Pinterest has no limits at all on sharing personally identifiable information with third parties. Twitter shares private user information with third-party “service providers” but imposes confidentiality obligations.

Facebook shares PII with an open-eded group of “partners, advertisers, and developers.” The “business affiliates, third party organizations, service providers, or third party advertisers” with whom Instagram shares user information is broad enough to include pretty much anybody. Facebook and Instagram also define PII very narrowly, such that the company makes to guarantee to protect a user’s IP address or location.

LinkedIn “may disclose user’s personal information and other information to a third party as part of a sale of the assets of LinkedIn Corporation.” Twitter also reserves the right to transfer or sell “as part of Twitter’s involvement in a bankruptcy, merger, acquisition, reorganization or sale. And, yes, Tumblr just sold your user data to Yahoo.

Many social networks also recently disclosed that they’d been hacked, but assured users that their personal data had not been compromised. If it had been, the companies would notify affected users, right? Not necessarily. Google, Facebook, Instagram, Twitter, Foursquare, LinkedIn and Pinterest all declined to answer that question for the University of Victoria researchers.