Privacy concerns with Facebook

Meta Platforms Inc., or Meta for short (formerly known as Facebook), has faced a number of privacy concerns. These stem partly from the company's revenue model that involves selling information collected about its users for many things including advertisement targeting. Meta Platforms Inc. has also been a part of many data breaches that have occurred within the company. These issues and others are further described including user data concerns, vulnerabilities in the company's platform, investigations by pressure groups and government agencies, and even issues with students. In addition, employers and other organizations/individuals have been known to use Meta Platforms Inc. for their own purposes. As a result, individuals’ identities and private information have sometimes been compromised without their permission. In response to these growing privacy concerns, some pressure groups and government agencies have increasingly asserted the users’ right to privacy and to be able to control their personal data.

Widening exposure of member information 2011–2012
In 2010 the Electronic Frontier Foundation identified two personal information aggregation techniques called "connections" and "instant personalization". They demonstrated that anyone could get access to information saved to a Facebook profile, even if the information was not intended to be made public. A "connection" is created when a user clicks a "Like" button for a product or service, either on Facebook itself or an external site. Facebook treats such relationships as public information, and the user's identity may be displayed on the Facebook page of the product or service.

Instant personalization was a pilot program that shared Facebook account information with affiliated sites, such as sharing a user's list of "liked" bands with a music website, so that when the user visits the site, their preferred music plays automatically. The EFF noted that "For users that have not opted out, Instant Personalization is instant data leakage. As soon as you visit the sites in the pilot program (Yelp, Pandora, and Microsoft Docs) the sites can access your name, your picture, your gender, your current location, your list of friends, all the Pages you have Liked—everything Facebook classifies as public information. Even if you opt-out of Instant Personalization, there's still data leakage if your friends use Instant Personalization websites—their activities can give away information about you, unless you block those applications individually."

On December 27, 2012 CBS News reported that Randi Zuckerberg, sister of Facebook founder Mark Zuckerberg, criticized a friend for being "way uncool" in sharing a private Facebook photo of her on Twitter, only to be told that the image had appeared on a friend-of-a-friend's Facebook news feed. Commenting on this misunderstanding of Facebook's privacy settings, Eva Galperin of the EFF said "Even Randi Zuckerberg can get it wrong. That's an illustration of how confusing they can be."

Issues during 2007
In August 2007 the code used to generate Facebook's home and search page as visitors browse the site was accidentally made public. A configuration problem on a Facebook server caused the PHP code to be displayed instead of the web page the code should have created, raising concerns about how secure private data on the site was. A visitor to the site copied, published and later removed the code from his web forum, claiming he had been served and threatened with legal notice by Facebook. Facebook's response was quoted by the site that broke the story: A small fraction of the code that displays Facebook web pages was exposed to a small number of users due to a single misconfigured web server that was fixed immediately. It was not a security breach and did not compromise user data in any way. Because the code that was released powers only Facebook user interface, it offers no useful insight into the inner workings of Facebook. The reprinting of this code violates several laws and we ask that people not distribute it further.

In November Facebook launched Beacon, a system (discontinued in September 2009) where third-party websites could include a script by Facebook on their sites, and use it to send information about the actions of Facebook users on their site to Facebook, prompting serious privacy concerns. Information such as purchases made and games played were published in the user's news feed. An informative notice about this action appeared on the third party site and allowed the user to cancel it. The user could also cancel it on Facebook. Originally if no action was taken, the information was automatically published. On November 29 this was changed to require confirmation from the user before publishing each story gathered by Beacon.

On December 1 Facebook's credibility in regard to the Beacon program was further tested when it was reported that The New York Times "essentially accuses" Mark Zuckerberg of lying to the paper and leaving Coca-Cola, which is reversing course on the program, with a similar impression. A security engineer at CA, Inc. also claimed in a November 29, 2007, blog post that Facebook collected data from affiliate sites even when the consumer opted out and even when not logged into the Facebook site. On November 30, 2007, the CA security blog posted a Facebook clarification statement addressing the use of data collected in the Beacon program:

When a Facebook user takes a Beacon-enabled action on a participating site, information is sent to Facebook for Facebook to operate Beacon technologically. If a Facebook user clicks 'No, thanks' on the partner site notification, Facebook does not use the data and deletes it from its servers. Separately, before Facebook can determine whether the user is logged in, some data may be transferred from the participating site to Facebook. In those cases, Facebook does not associate the information with any individual user account, and deletes the data as well.

The Beacon service ended in September 2009 along with the settlement of a class-action lawsuit against Facebook resulting from the service.

News feed and mini-feed
On September 5, 2006, Facebook introduced two new features called "News Feed" and "Mini-Feed". The first of the new features, News Feed, appears on every Facebook member's home page, displaying recent Facebook activities of the member's friends. The second feature, Mini-Feed, keeps a log of similar events on each member's profile page. Members can manually delete items from their Mini-Feeds if they wish to do so, and through privacy settings can control what is actually published in their respective Mini-Feeds.

Some Facebook members still feel that the ability to opt out of the entire News Feed and Mini-Feed system is necessary, as evidenced by a statement from the Students Against Facebook News Feed group, which peaked at over 740,000 members in 2006. Reacting to users' concerns, Facebook developed new privacy features to give users some control over information about them that was broadcast by the News Feed. According to subsequent news articles, members have widely regarded the additional privacy options as an acceptable compromise.

In May 2010 Facebook added privacy controls and streamlined its privacy settings, giving users more ways to manage status updates and other information broadcast to the public News Feed. Among the new privacy settings is the ability to control who sees each new status update a user posts: Everyone, Friends of Friends, or Friends Only. Users can now hide each status update from specific people as well. However, a user who presses "like" or comments on the photo or status update of a friend cannot prevent that action from appearing in the news feeds of all the user's friends, even non-mutual ones. The "View As" option, used to show a user how privacy controls filter out what a specific given friend can see, only displays the user's timeline and gives no indication that items missing from the timeline may still be showing up in the friend's own news feed.

Inability to voluntarily terminate accounts
Facebook had allowed users to deactivate their accounts but not actually remove account content from its servers. A Facebook representative explained to a student from the University of British Columbia that users had to clear their own accounts by manually deleting all of the content including wall posts, friends, and groups. The New York Times noted the issue and raised a concern that emails and other private user data remain indefinitely on Facebook's servers. Facebook subsequently began allowing users to permanently delete their accounts in 2010. Facebook's Privacy Policy now states, "When you delete an account, it is permanently deleted from Facebook."

Memorials
A notable ancillary effect of social-networking websites is the ability for participants to mourn publicly for a deceased individual. On Facebook, friends often leave messages of sadness, grief, or hope on the individual's page, transforming it into a public book of condolences. This particular phenomenon has been documented at a number of schools. Facebook originally held a policy that profiles of people known to be deceased would be removed after 30 days due to privacy concerns. Due to user response, Facebook changed its policy to place deceased members' profiles in a "memorialization state". Facebook's Privacy Policy regarding memorialization says, "If we are notified that a user is deceased, we may memorialize the user's account. In such cases we restrict profile access to confirmed friends and allow friends and family to write on the user's Wall in remembrance. We may close an account if we receive a formal request from the user's next of kin or other proper legal request to do so."

Some of these memorial groups have also caused legal issues. Notably, on January 1, 2008, one such memorial group posted the identity of murdered Toronto teenager Stefanie Rengel, whose family had not yet given the Toronto Police Service their consent to release her name to the media, and the identities of her accused killers, in defiance of Canada's Youth Criminal Justice Act, which prohibits publishing the names of the under-age accused. While police and Facebook staff attempted to comply with the privacy regulations by deleting such posts, they noted difficulty in effectively policing the individual users who repeatedly republished the deleted information.

Customization and security
In July 2007 Adrienne Felt, an undergraduate student at the University of Virginia, discovered a cross-site scripting (XSS) hole in the Facebook Platform that could inject JavaScript into profiles. She used the hole to import custom CSS and demonstrate how the platform could be used to violate privacy rules or create a worm.

Inadequate privacy controls
Facebook offers privacy controls to allow users to choose who can view their posts: only friends, friends and friends of friends, everyone, custom (specific choice of which friends can see posts). While these options exist, there are still methods by which otherwise unauthorized third parties can view a post. For example, posting a picture and marking it as only viewable by friends, but tagging someone else as appearing in that picture, causes the post to be viewable by friends of the tagged person(s).

Photos taken of people by others can be posted on Facebook without the knowledge or consent of people appearing in the image; persons may have multiple photos which feature them on Facebook without being aware of it. A study has suggested that a photo of a person which reflects poorly on them posted online can have a more harmful effect than losing a password.

When commenting on a private post, the commenting user is not informed if the post they commented on is later made public – which would make their comment on said post also publicly viewable.

Quit Facebook Day
Quit Facebook Day was an online event which took place on May 31, 2010 (coinciding with Memorial Day), in which Facebook users stated that they would quit the social network due to privacy concerns. It was estimated that 2% of Facebook users coming from the United States would delete their accounts. However, only 33,000 (roughly 0.0066% of its roughly 500 million members at the time) users quit the site. The number one reason for users to quit Facebook was privacy concerns (48%), being followed by a general dissatisfaction with Facebook (14%), negative aspects regarding Facebook friends (13%), and the feeling of getting addicted to Facebook (6%). Facebook quitters were found to be more concerned about privacy, more addicted to the Internet, and more conscientious.

Photo recognition and face tagging
Facebook enabled an automatic facial recognition feature in June 2011, called "Tag Suggestions", a product of a research project named "DeepFace". The feature compares newly uploaded photographs to those of the uploader's Facebook friends, to suggest photo tags.

National Journal Daily claims "Facebook is facing new scrutiny over its decision to automatically turn on a new facial recognition feature aimed at helping users identify their friends in photos". Facebook has defended the feature, saying users can disable it. Facebook introduced the feature on an opt-out basis. European Union data-protection regulators said they would investigate the feature to see if it violated privacy rules. Naomi Lachance stated in a web blog for NPR, All Tech Considered, that Facebook's facial recognition is right 98% of the time compared to the FBI's 85% out of 50 people. However, the accuracy of Facebook searches is due to its larger, more diverse photo selection compared to the FBI's closed database. Mark Zuckerberg showed no worries when speaking about Facebook's AIs, saying, "Unsupervised learning is a long-term focus of our AI research team at Facebook, and it remains an important challenge for the whole AI research community" and "It will save lives by diagnosing diseases and driving us around more safely. It will enable breakthroughs by helping us find new planets and understand Earth's climate. It will help in areas we haven't even thought of today".

In May 2016 Facebook faced a lawsuit in Illinois for violations of the Biometric Information Privacy Act. In February 2021, the company settled, agreeing to pay $650 million, and shut down the feature in December 2021. Following the shutdown, Cher Scarlett, a former Apple security engineer, in January 2022 tweeted a photo that she had been auto-tagged in by someone unknown to her prior to shutdown. The photo was from the 19th century and she said that she learned it was her great-great-great-grandmother of Volga German ancestry, saying the technology was "dangerous" and "off-putting", and pointed to the implication of genocide.

Tracking of non-members of Facebook
An article published by USA Today in November 2011 claimed that Facebook creates logs of pages visited both by its members and by non-members, relying on tracking cookies to keep track of pages visited.

In early November 2015 Facebook was ordered by the Belgian Privacy Commissioner to cease tracking non-users, citing European laws, or risk fines of up to £250,000 per day. As a result, instead of removing tracking cookies, Facebook banned non-users in Belgium from seeing any material on Facebook, including publicly posted content, unless they sign in. Facebook criticized the ruling, saying that the cookies provided better security.

Stalking
By statistics, 63% of Facebook profiles are automatically set "visible to the public", meaning anyone can access the profiles that users have updated. Facebook also has its own built-in messaging system that people can send messages to any other user, unless they have disabled the feature to "from friends only". Stalking is not only limited to SNS stalking, but can lead to further "in-person" stalking because nearly 25% of real-life stalking victims reported it started with online instant messaging (e.g., Facebook chat).

Sharing private messages and contacts' details without consent
In December 2018 it emerged that Facebook had, during the period 2010–2018, granted access to users' private messages, address book contents, and private posts, without the users' consent, to more than 150 third parties including Microsoft, Amazon, Yahoo, Netflix, and Spotify. This had been occurring despite public statements from Facebook that it had stopped such sharing years earlier.

Denial of location privacy, regardless of user settings
In December 2018 it emerged that Facebook's mobile app reveals the user's location to Facebook, even if the user does not use the "check in" feature and has configured all relevant settings within the app so as to maximize location privacy.

Health data from apps sent to Facebook without user consent
In February 2019 it emerged that a number of Facebook apps, including Flo, had been sending users' health data such as blood pressure and ovulation status to Facebook without users' informed consent. New York governor Andrew Cuomo called the practice an "outrageous abuse of privacy", ordered New York's department of state and department of financial services to investigate, and encouraged federal regulators to step in.

Oculus and metaverse platforms
Facebook's acquisition of virtual reality headset manufacturer Oculus has resulted in ongoing concerns over the integration of its hardware and software platforms with Facebook user data. After the acquisition, Oculus co-founder Palmer Luckey had assured users that "you won't need to log into your Facebook account every time you wanna use the Oculus Rift."

Initially the Oculus desktop software provided opt-in integration with Facebook, primarily for identifying Facebook users within their Oculus friends list. In August 2020, Facebook announced that all Oculus products and services would become subject to the unified Facebook privacy policy, code of conduct, and community guidelines moving forward, and that a Facebook account would be required to use Oculus products and services beginning in October. This policy took effect beginning with the Oculus Quest 2. At that time, the ability to create a standalone Oculus account was discontinued, and it was announced that these accounts were to be deprecated effective January 1, 2023.

The requirements, as well as Facebook's later focus on "metaverse" platforms, have led to concerns over the amount of user data that could be collected by the company via virtual reality hardware and interactions, including the user's surroundings, motions and actions, and biometrics. Horizon, a VR social network run as part of the Oculus platform, is subject to Facebook policies, performs "rolling" recordings of interactions that could be uploaded to Facebook servers for the purposes of moderation if users are reported, and users can be observed by moderators without their knowledge if they are reported by others, or "signals" regarding that user are raised by other users via their own actions (such as muting).

In September 2020 Facebook pulled all Oculus products from the German market due to concerns from local regulators over the policy's compliance with the European Union's General Data Protection Regulation (GDPR). In December 2020, the German Federal Cartel Office (Bundeskartellamt) launched an antitrust investigation into Facebook's mandatory integration of its social networking platform with its virtual reality products.

At the Facebook Connect event in October 2021 (where Facebook, Inc. announced its rebranding as Meta), Zuckerberg stated that Meta was "working on making it so you can log in into Quest with an account other than your personal Facebook account". The new "Meta account" was announced in July 2022 as a de facto replacement for Oculus accounts, which will not be explicitly tied to the Facebook social network, and can be linked with other members of the Facebook "Family of Apps" (Facebook, Messenger, Instagram, and WhatsApp). It was stated that Meta Quest users would be allowed to transition to Meta accounts and decouple their Facebook logins from its VR platforms. Ars Technica noted that the new terms of service and privacy policies associated with Meta account system could allow enforcement of a real name policy (stating that users would be obligated to provide "accurate and up to date information (including registration information), which may include providing personal data", and still allowed for "rampant" use of user data by Meta, especially if linked with other Facebook apps.

Scraping of contact information
Personal information of 533 million Facebook users, including names, phone numbers, email addresses, and other user profile data, was posted to a hacking forum in April, 2021. This information had been previously leaked through a feature allowing users to find each other by phone number, which Facebook fixed to prevent this abuse in September 2019. The company decided not to notify users of the data breach.

The Irish Data Protection Commission, which has jurisdiction over Facebook due to the location of its EU headquarters, then opened an investigation into the breach as a possible violation of GDPR.

Allegations of eavesdropping
There have been allegations by some users that Facebook's mobile app is capable of listening to conversations without consent, citing instances of the service displaying advertisements for products that they had only spoken about, and had otherwise had no prior interactions with. In August 2019, Facebook admitted that it had been sending anonymized voice data from the Messenger app to third-party contractors for human review to improve the quality of its automatic transcription function, but denied that this data was being used for personalized advertising. The company also stated that it had recently suspended human reviews after scrutiny over Amazon, Apple, and Google's use of similar practices for their voice assistant platforms.

Data mining
There have been some concerns expressed regarding the use of Facebook as a means of surveillance and data mining.

Two Massachusetts Institute of Technology (MIT) students used an automated script to download the publicly posted information of over 70,000 Facebook profiles from four schools (MIT, NYU, the University of Oklahoma, and Harvard University) as part of a research project on Facebook privacy published on December 14, 2005. Since then, Facebook has bolstered security protection for users, responding: "We've built numerous defenses to combat phishing and malware, including complex automated systems that work behind the scenes to detect and flag Facebook accounts that are likely to be compromised (based on anomalous activity like lots of messages sent in a short period of time, or messages with links that are known to be bad)."

A second clause that brought criticism from some users allowed Facebook the right to sell users' data to private companies, stating "We may share your information with third parties, including responsible companies with which we have a relationship." This concern was addressed by spokesman Chris Hughes, who said, "Simply put, we have never provided our users' information to third party companies, nor do we intend to." Facebook eventually removed this clause from its privacy policy.

In the United Kingdom the Trades Union Congress (TUC) has encouraged employers to allow their staff to access Facebook and other social-networking sites from work, provided they proceed with caution.

In September 2007 Facebook drew criticism after it began allowing search engines to index profile pages, though Facebook's privacy settings allow users to turn this off.

Concerns were also raised on the BBC's Watchdog program in October 2007 when Facebook was shown to be an easy way to collect an individual's personal information to facilitate identity theft. However, there is barely any personal information presented to non-friends – if users leave the privacy controls on their default settings, the only personal information visible to a non-friend is the user's name, gender, profile picture and networks.

An article in The New York Times in February 2008 pointed out that Facebook does not actually provide a mechanism for users to close their accounts, and raised the concern that private user data would remain indefinitely on Facebook's servers. , Facebook gives users the options to deactivate or delete their accounts. Deactivating an account allows it to be restored later, while deleting it will remove the account "permanently", although some data submitted by that account ("like posting to a group or sending someone a message") will remain.

Onavo and Facebook Research
In 2013 Facebook acquired Onavo, a developer of mobile utility apps such as Onavo Protect VPN, which is used as part of an "Insights" platform to gauge the use and market share of apps. This data has since been used to influence acquisitions and other business decisions regarding Facebook products. Criticism of this practice emerged in 2018, when Facebook began to advertise the Onavo Protect VPN within its main app on iOS devices in the United States. Media outlets considered the app to effectively be spyware due to its behavior, adding that the app's listings did not readily disclaim Facebook's ownership of the app and its data collection practices. Facebook subsequently pulled the iOS version of the app, citing new iOS App Store policies forbidding apps from performing analytics on the usage of other apps on a user's device.

Since 2016 Facebook has also run "Project Atlas"—publicly known as "Facebook Research"—a market research program inviting teenagers and young adults between the ages of 13 and 35 to have data such as their app usage, web browsing history, web search history, location history, personal messages, photos, videos, emails, and Amazon order history, analyzed by Facebook. Participants would receive up to $20 per-month for participating in the program. Facebook Research is administered by third-party beta testing services, including Applause, and requires users to install a Facebook root certificate on their phone. After a January 2019 report by TechCrunch on Project Atlas, which alleged that Facebook bypassed the App Store by using an Apple enterprise program for apps used internally by a company's employees, Facebook refuted the article but later announced its discontinuation of the program on iOS.

On January 30, 2019 Apple temporarily revoked Facebook's Enterprise Developer Program certificates for one day, which caused all of the company's internal iOS apps to become inoperable. Apple stated that "Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple", and that the certificates were revoked "to protect our users and their data". US Senators Mark Warner, Richard Blumenthal, and Ed Markey separately criticized Facebook Research's targeting of teenagers, and promised to sponsor legislation to regulate market research programs.

2010 application privacy breach
In 2010 the Wall Street Journal found that many of Facebook's top-rated apps—including apps from Zynga and Lolapps—were transmitting identifying information to "dozens of advertising and Internet tracking companies" like RapLeaf. The apps used an HTTP referer that exposed the user's identity and sometimes their friends' identities. Facebook said that "While knowledge of user ID does not permit access to anyone’s private information on Facebook, we plan to introduce new technical systems that will dramatically limit the sharing of User ID’s". A blog post by a member of Facebook's team further stated that "press reports have exaggerated the implications of sharing a user ID", though still acknowledging that some of the apps were passing the ID in a manner that violated Facebook's policies.

2010 user list
In 2010 Canadian security consultant Ron Bowes of Skull Security created a BitTorrent download consisting of the names of about 100 million Facebook users. Facebook likened the information to what is listed in a phone book. It included some who had opted not to be found by search engines, and some who did not realize their information was public. Bowes created the list to get statistical information about user names, which can be used in both penetration testing and computer break-ins.

AT&T routing glitch
In 2009 and 2010 the fact that Facebook was not requiring connections to use HTTPS other than at login meant that a routing glitch at AT&T caused cookie to end up on the wrong users' phones. This resulted in some Facebook users having continuous access to another person's account instead of their own.

Facebook and Cambridge Analytica data scandal
In 2018 Facebook admitted that an app made by Global Science Research and Alexandr Kogan, related to Cambridge Analytica, was able in 2014 to harvest personal data of up to 87 million Facebook users without their consent, by exploiting their friendship connection to the users who sold their data via the app. Following the revelations of the breach, several public figures, including industrialist Elon Musk and WhatsApp cofounder Brian Acton, announced that they were deleting their Facebook accounts, using the hashtag "#deletefacebook".

Facebook was also criticized for allowing the 2012 Barack Obama presidential campaign to analyze and target select users by providing the campaign with friendship connections of users who signed up for an application. However, users signing up for the application were aware that their data, but not the data of their friends, was going to a political party.

Unpublished photo disclosure bug
In September 2018 a software bug meant that photos that had been uploaded to Facebook accounts, but that had not been "published" (and which therefore should have remained private between the user and Facebook), were exposed to app developers. Approximately 6.8 million users and 1500 third-party apps were affected.

Unencrypted password storage
In March 2019 Facebook admitted that it had mistakenly stored "hundreds of millions" of passwords of Facebook and Instagram users in plaintext (as opposed to being hashed and salted) on multiple internal systems accessible only to Facebook engineers, dating as far back as 2012. Facebook stated that affected users would be notified, but that there was no evidence that this data had been abused or leaked.

In April 2019 Facebook admitted that its subsidiary Instagram also stored millions of unencrypted passwords.

Facebook has denied for years that it listens to conversations and in turn releases ads based on them, however Facebook has been shown to have lied about their policies in the past. In 2016, Facebook stated "Facebook does not use your phone's microphone to inform ads or to change what you see in News Feed." a spokeswoman said, "some recent articles have suggested that we must be listening to people's conversations in order to show them relevant ads. This is not true. We show ads based on people's interests and other profile information, not what you’re talking out loud about."

Cooperation with government requests
Government and local authorities rely on Facebook and other social networks to investigate crimes and obtain evidence to help establish a crime, provide location information, establish motives, prove and disprove alibis, and reveal communications. Federal, state, and local investigations have not been restricted to profiles that are publicly available or willingly provided to the government; Facebook has willingly provided information in response to government subpoenas or requests, except with regard to private, unopened inbox messages less than 181 days old, which would require a warrant and a finding of probable cause under federal law under Electronic Communications Privacy Act (ECPA). One 2011 article noted that "even when the government lacks reasonable suspicion of criminal activity and the user opts for the strictest privacy controls, Facebook users still cannot expect federal law to stop their 'private' content and communications from being used against them".

Facebook's privacy policy states that "We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities". Since the U.S. Congress has failed to meaningfully amend the ECPA to protect most communications on social-networking sites such as Facebook, and since the U.S. Supreme Court has largely refused to recognize a Fourth Amendment privacy right to information shared with a third party, no federal statutory or constitutional right prevents the government from issuing requests that amount to fishing expeditions and there is no Facebook privacy policy that forbids the company from handing over private user information that suggests any illegal activity.

The 2013 mass surveillance disclosures identified Facebook as a participant in the U.S. National Security Administration's PRISM program. Facebook now reports the number of requests it receives for user information from governments around the world.

In 2022 Nesbraska police charged a teenage girl and her mother after obtaining Facebook messages which allegedly showed that they performed an illegal self-managed medication abortion.

Complaint from CIPPIC
On May 31, 2008 the Canadian Internet Policy and Public Interest Clinic (CIPPIC), per Director Phillipa Lawson, filed a 35-page complaint with the Office of the Privacy Commissioner against Facebook based on 22 breaches of the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). University of Ottawa law students Lisa Feinberg, Harley Finkelstein, and Jordan Eric Plener, initiated the "minefield of privacy invasion" suit. Facebook's Chris Kelly contradicted the claims, saying that: "We've reviewed the complaint and found it has serious factual errors—most notably its neglect of the fact that almost all Facebook data is willingly shared by users." Assistant Privacy Commissioner Elizabeth Denham released a report of her findings on July 16, 2009. In it, she found that several of CIPPIC's complaints were well-founded. Facebook agreed to comply with some, but not all, of her recommendations. The Assistant Commissioner found that Facebook did not do enough to ensure users granted meaningful consent for the disclosure of personal information to third parties and did not place adequate safeguards to prevent unauthorized access by third-party developers to personal information.

Investigation by the Irish Data Protection Commissioner, 2011–2012
In August 2011 the Irish Data Protection Commissioner (DPC) started an investigation after receiving 22 complaints by europe-v-facebook.org, which was founded by a group of Austrian students. The DPC stated in first reactions that the Irish DPC is legally responsible for privacy on Facebook for all users within the European Union and that he will "investigate the complaints using his full legal powers if necessary". The complaints were filed in Ireland because all users who are not residents of the United States or Canada have a contract with "Facebook Ireland Ltd", located in Dublin, Ireland. Under European law Facebook Ireland is the "data controller" for facebook.com, and therefore, facebook.com is governed by European data protection laws. Facebook Ireland Ltd. was established by Facebook Inc. to avoid US taxes (see Double Irish arrangement).

The group 'europe-v-facebook.org' made access requests at Facebook Ireland and received up to 1,222 pages of data per person in 57 data categories that Facebook was holding about them, including data that was previously removed by the users. The group claimed that Facebook failed to provide some of the requested data, including "likes", facial recognition data, data about third party websites that use "social plugins" visited by users, and information about uploaded videos. Currently the group claims that Facebook holds at least 84 data categories about every user.

The first 16 complaints target different problems, from undeleted old "pokes" all the way to the question if sharing and new functions on Facebook should be opt-in or opt-out. The second wave of 6 more complaints was targeting more issues including one against the "Like" button. The most severe could be a complaint that claims that the privacy policy, and the consent to the privacy policy is void under European laws.

In an interview with the Irish Independent, a spokesperson said that the DPC will "go and audit Facebook, go into the premises and go through in great detail every aspect of security". He continued by saying: "It's a very significant, detailed and intense undertaking that will stretch over four or five days." In December 2011 the DPC published its first report on Facebook. This report was not legally binding but suggested changes that Facebook should undertake until July 2012. The DPC is planning to do a review about Facebook's progress in July 2012.

Changes
In spring 2012 Facebook had to undertake many changes (e.g., having an extended download tool that should allow users to exercise the European right to access all stored information or an update of the worldwide privacy policy). These changes were seen as not sufficient to comply with European law by europe-v-facebook.org. The download tool does not allow, for example, access to all data. The group has launched our-policy.org to suggest improvements to the new policy, which they saw as a backdrop for privacy on Facebook. Since the group managed to get more than 7.000 comments on Facebook's pages, Facebook had to do a worldwide vote on the proposed changes. Such a vote would have only been binding if 30% of all users would have taken part. Facebook did not promote the vote, resulting in only 0.038% participation with about 87% voting against Facebook's new policy. The new privacy policy took effect on the same day.

International lobbying against privacy protections
In early 2019 it was reported that Facebook had spent years lobbying extensively against privacy protection laws around the world, such as GDPR.

The lobbying included efforts by Sandberg to "bond" with female European officials including Enda Kenny (then Prime Minister of Ireland, where Facebook's European operations are based), to influence them in Facebook's favor. Other politicians reportedly lobbied by Facebook in relation to privacy protection laws included George Osborne (then Chancellor of the Exchequer), Pranab Mukherjee (then President of India), and Michel Barnier.

In 2021 Facebook attempted to use "a legal trick" to bypass GDPR regulations in the European Union by including personal data processing agreement in what they considered to be a "contract" (Article 6(1)(b) GDPR) rather than a "consent" (Article 6(1)(a) GDPR) which would lead to the user effectively granting Facebook a very broad permission to process their personal data with most of the GDPR controls void. Irish Data Protection Commission (DPC) expressed its preliminary approval for this bypass and sent its draft decision to other data protection authorities in the European Union, at which point the document was leaked to media and published on noyb.eu. DPC sent a takedown notice to noyb.eu, which was also published by the portal which reject to self-censor.

Promotion of service as "free"
In December 2019 the Hungarian Competition Authority fined Facebook around US$4 million for false advertising, ruling that Facebook cannot market itself as a "free" (no cost) service because the use of detailed personal information to deliver targeted advertising constituted a compensation that must be provided to Facebook to use the service.

Student privacy concerns
Students who post illegal or otherwise inappropriate material have faced disciplinary action from their universities, colleges, and schools including expulsion. Others posting libelous content relating to faculty have also faced disciplinary action. The Journal of Education for Business states that "a recent study of 200 Facebook profiles found that 42% had comments regarding alcohol, 53% had photos involving alcohol use, 20% had comments regarding sexual activities, 25% had seminude or sexually provocative photos, and 50% included the use of profanity." It is inferred that negative or incriminating Facebook posts can affect alumni's and potential employers' perception of them. This perception can greatly impact the students' relationships, ability to gain employment, and maintain school enrollment. The desire for social acceptance leads individuals to want to share the most intimate details of their personal lives along with illicit drug use and binge drinking. Too often, these portrayals of their daily lives are exaggerated and/or embellished to attract others like minded to them.

Effect on class engagement
Students in general have a higher engagement when using Facebook groups in class, as students can comment on each other's short writings or videos. Increased teacher-student and student-student interaction, improved performance, and convenience of learning were some of the benefits of using Facebook as an educational instrument. However, it limits student's writing to be shorter since checking on spelling and typing on a phone keyboard is relatively more time-consuming.

Effect on higher education
On January 23, 2006 The Chronicle of Higher Education continued an ongoing national debate on social networks with an opinion piece written by Michael Bugeja, director of the Journalism school at Iowa State University, entitled "Facing the Facebook". Bugeja, author of the Oxford University Press text Interpersonal Divide (2005), quoted representatives of the American Association of University Professors and colleagues in higher education to document the distraction of students using Facebook and other social networks during class and at other venues in the wireless campus. Bugeja followed up on January 26, 2007, in The Chronicle with an article titled "Distractions in the Wireless Classroom", quoting several educators across the country who were banning laptops in the classroom. Similarly, organizations such as the National Association for Campus Activities, the Association for Education in Journalism and Mass Communication, and others have hosted seminars and presentations to discuss ramifications of students' use of Facebook and other social-networking sites.

The EDUCAUSE Learning Initiative has also released a brief pamphlet entitled "7 Things You Should Know About Facebook" aimed at higher education professionals that "describes what [Facebook] is, where it is going, and why it matters to teaching and learning".

Some research  on Facebook in higher education suggests that there may be some small educational benefits associated with student Facebook use, including improving engagement which is related to student retention. 2012 research has found that time spent on Facebook is related to involvement in campus activities. This same study found that certain Facebook activities like commenting and creating or RSVPing to events were positively related to student engagement while playing games and checking up on friends was negatively related. Furthermore, using technologies such as Facebook to connect with others can help college students be less depressed and cope with feelings of loneliness and homesickness.

Effect on college student grades
As of February 2012 only four published peer-reviewed studies have examined the relationship between Facebook use and grades. The findings vary considerably. Pasek et al. (2009) found no relationship between Facebook use and grades. Kolek and Saunders (2008) found no differences in overall grade point average (GPA) between users and non-users of Facebook. Kirschner and Karpinski (2010) found that Facebook users reported a lower mean GPA than non-users. Junco's (2012) study clarifies the discrepancies in these findings. While Junco (2012) found a negative relationship between time spent on Facebook and student GPA in his large sample of college students, the real-world impact of the relationship was negligible. Furthermore, Junco (2012) found that sharing links and checking up on friends were positively related to GPA while posting status updates was negatively related. In addition to noting the differences in how Facebook use was measured among the four studies, Junco (2012) concludes that the ways in which students use Facebook are more important in predicting academic outcomes.

Performative surveillance
Performative surveillance is the notion that people are very much aware that they are being surveilled on websites, like Facebook, and use the surveillance as an opportunity to portray themselves in a way that connotes a certain lifestyle—of which, that individual may, or may not, distort how they are perceived in reality.

Employer-employee privacy issues
In an effort to surveil the personal lives of current, or prospective, employees, some employers have asked employees to disclose their Facebook login information. This has resulted in the passing of a bill in New Jersey making it illegal for employers to ask potential or current employees for access to their Facebook accounts. Although the U.S. government has yet to pass a national law protecting prospective employees and their social networking sites, from employers, the fourth amendment of the US constitution can protect prospective employees in specific situations. Many companies examine Facebook profiles of job candidates looking for reasons to not hire them. Because of this, many employees feel like their online social media rights and privacy are being violated. In addition, employees begin to make performative profiles where they purposefully portray themselves as professional and have desired personality traits. According to a survey of hiring managers by CareerBuilder.com, the most common deal breakers they found on Facebook profiles include references to drinking, poor communication skills, inappropriate photos, and lying about skills and/or qualifications.

Facebook requires employees and contractors working for them to give permission for Facebook to access their personal profiles, including friend requests and personal messages.

Users violating minimum age requirements
A 2011 study in the online journal First Monday examines how parents consistently enable children as young as 10 years old to sign up for accounts, directly violating Facebook's policy banning young visitors. This policy is in compliance with a United States law, the 1998 Children's Online Privacy Protection Act, which requires minors aged under 13 to gain explicit parental consent to access commercial websites. In jurisdictions where a similar law sets a lower minimum age, Facebook enforces the lower age. Of the 1,007 households surveyed for the study, 76% of parents reported that their child joined Facebook at an age younger than 13, the minimum age in the site's terms of service. The study also reported that Facebook removes roughly 20,000 users each day for violating its minimum age policy. The study's authors also note, "Indeed, Facebook takes various measures both to restrict access to children and delete their accounts if they join." The findings of the study raise questions primarily about the shortcomings of United States federal law, but also implicitly continue to raise questions about whether or not Facebook does enough to publicize its terms of service with respect to minors. Only 53% of parents said they were aware that Facebook has a minimum signup age; 35% of these parents believe that the minimum age is merely a recommendation or thought the signup age was 16 or 18, not 13.

Phishing
Phishing refers to a scam used by criminals to trick people into revealing passwords, credit card information, and other sensitive information. On Facebook, phishing attempts occur through message or wall posts from a friend's account that was breached. If the user takes the bait, the phishers gain access to the user's Facebook account and send phishing messages to the user's other friends. The point of the post is to get the users to visit a website with viruses and malware.

E-commerce and drop shipping scams
In April 2016 Buzzfeed published an article exposing drop shippers who were using Facebook and Instagram to swindle unsuspecting customers. Located mostly in China, these drop shippers and e-commerce sites would steal copyrighted images from larger retailers and influencers to gain credibility. After luring a customer with a low price for the item, they would then deliver a product that is nothing like what was advertised or deliver no product at all.