Am I right to be annoyed?

[MadduckUK]

I think everything has been discussed to death now, and really we are just feigning interest on the off chance he tells us what group it was he got signed up to. no?

[Unique]

Certainly wouldn't want to advertise that - too many people join and there might not be enough free beer. (Not bothered about the other aspects

However, there is a danger that the thread is running a little off track. Seems to me to be two viewpoints

OP posted some data which he will share with some people. That data didn't include his membership of "The society". This has now has been shared with other people for whom it wasn't intended, through no direct action of his own, and in a way that he cannot control.

Alternative: OP posted data on FB, if he was that concerned, he shouldn't have popsted anyhing.. Ie, FB (or rather, Facebook's privacy settings) cannot be trusted or can be circumvented. Ie the privacy controls do not gurantee privacy in all situations.

While I have some sympathy with the first view, and therefore is justified in being annoyed (in general) principle 2 should be born in mind "Facebook's privacy controls do not gurantee privacy in all situations" (and extend that to social network sites in general). The "Law of Unintended Consequences" seems relevant.

that's my take on it

and it only took me 2 seconds to find out what group it was, so it wasn't the hardest to find, most secure data. and i found the group as a result of the data the OP posted online himself

i don't think we are going to get any further with this as it's just a matter of opinion ultimately, but facebook automatically adding people to groups instead of letting them accept or not is annoying a few people. the barrage of absolute crap that some people post as part of groups is also annoying, especially when you get email reports with it day and night

[TooNice]

I still think the flaw comes primarily from Facebook's end.

You should have full control over your profile - then this would never have happened.

If it wasn't for this thread, I would have been completely unaware.

+1. And we're probably not the only ones who only found out about it now after 8 months it seems (http://weblogs.about.com/od/socialne...Permission.htm) Guess my friends gave up trying to get me to join groups.

Saying that I don't think that this would have been a problem if it was the default behaviour from the outset. I don't see too many complaints about people being able to tag a friend without the friend approving of it first. It's arguable that "this is how FB works, suck it up or leave" [I should note that I did not use FB for as long as some, so I don't know if things were different at one point in regards to picture tagging].

Auto-accepting group invitation is a moderately recent feature creep, and if the phrasing is "X joined group Y, as opposed" to "X was added to group Y", then yeah, I am not most impressed.

@Disturbedguy: One of the feature social networking have in common, is the ability to easily find friends of friends. If the organiser added everyone in his contact list, then all the members will know is that Lucio is a friend of that organiser. Information they already had via the organiser's friend list.

Granted that if those friends of the organiser added more people in, then more people would have access to a link of Lucio's presumably locked profile (in practice, you'd really need to be bored to click on the public profile of someone you do not know at all). But one of the key functionality of social networking site is to find people. If you don't want a bare public profile someone online, then you are much better off with other communication mediums really. Personally I can understand people not wanting to access your wall/pictures/detailed profile, but I don't understand why anyone can be concerned about the link the general profile anyone else can access in the first place.

[Saracen]

Several people have said there is no DPA issue involved here, and as I think it was me that first raised the DPA, by saying something like (without looking up the exact wording) that there might be a DPA issue here, let me clarify what I meant.

Broadly speaking, if you "process personal information" you are subject to the requirements of the DPA, and not complying with it can be a criminal offence. That doesn't just apply to companies and government bodies etc, but, unless a specific exemption applies, to individuals, groups, clubs and societies as well. There are exemptions from that, including some not-for-profit organisations, and individuals processing data for domestic purposes, and some for specific uses of the data.

So, at this point, I have no idea whether the "society" would fall under the "not-for-profit" exemption, or whether the individual would be exempt, or whether the use would. It might or might not. But it is certainly possible the individual would not be regarded as processing Lucio's data for "domestic" purposes, if they are doing it for a club or society. It is also possible that the society is, or is not, exempt on, for instance, "not for profit" grounds, or that aFacebook group might not be covered by the advertising, marketing and PR exemption.

But .... if the data is regarded as "personal", and the "friend/organiser" is acting in their capacity as an organiser for that society (and it seems they were, by setting up an "official" Facebook group for that society) and that is classed as "processing, under the definitions of the Act, and if the society does not qualify or an exemption, then it is quite possible that :-

a) the society should be DPA registered. So is it? If not, that's an offence.
b) that the "friend", as an organiser controlling the use of personal data, would be classed as a "data controller" by the Act.

If b) applies, then that friend in their personal capacity may well not have any DPA obligations provided they process only for domestic purposes, but as an organiser, they are required to comply with the need for declarations as to how they acquire data, how they process it and what purposes they process it for.

Odds are, for a small society, the friend is not even aware of this, but as the old adage goes, ignorance of the law is generally no excuse.

From what has been said, the information required to join Lucio to this Facebook group (that being his Facebook identity, was provided to the friend as a friend not as an organiser, and if they have used it in an inappropriate way (as it sees they have) then it may constitute another breach of the DPA.

None of this is exactly going to light a fire under the Information Commissioner's office, and they're not exactly going to wet themselves in anticipation of a prosecution, but it might be a breach of the DPA in at least a couple of ways. Or it might not.

As for the "public domain"argument, exactly what does constitute "in the public domain" is a very slippery point, and depends hugely on context. For instance, in a patent context, "publishing" information to just one person (not covered by a confidentiality agreement) might be enough to scupper the patent, but it categorically is not the case that publishing a piece of info to one, or a number, of individuals (such as giving a friend a phone number) does not constitute putting it in the public domain. In other words, it's a complicated area.