Ask an Engineer: What do you think of the Facebook Terms of Service Flap?

February 18, 2009 · · Posted by Greg Lloyd

If you haven't been paying attention to this week's flap on Facebook's revised terms of service - posted three days ago and retracted today - Andrew Lavelle of the Wall Street Journal published a good recap today. The controversy relates to what rights does Facebook get to content that an individual Facebook user posts? There are a lot of good arguments about what rights people think Facebook should be able to retain, but there's a second level of discussion that relates to how people expect Facebook privacy settings to work, and how these expectations make it difficult to craft an agreement that seems fair, makes sense, and corresponds to what Facebook actually implements and enforces.

Lavelle quotes Techcrunch's Erik Shonfeld: “If I upload a picture which I later regret uploading, why shouldn’t I be able to erase it from Facebook forever, even if some of my friends have already seen it?”

Facebook's Mark Zuckerberg's Monday 5:09PM post said:

"Our philosophy is that people own their information and control who they share it with. When a person shares information on Facebook, they first need to grant Facebook a license to use that information so that we can show it to the other people they've asked us to share it with. Without this license, we couldn't help people share that information.

One of the questions about our new terms of use is whether Facebook can use this information forever. When a person shares something like a message with a friend, two copies of that information are created—one in the person's sent messages box and the other in their friend's inbox. Even if the person deactivates their account, their friend still has a copy of that message. We think this is the right way for Facebook to work, and it is consistent with how other services like email work. One of the reasons we updated our terms was to make this more clear."

These examples show the difficulty in defining privacy policy based on two different and irreconcilable sets of expectations. If you don't grant Facebook legal permission to share what you post based on your privacy settings, Facebook doesn't work as you expect. And if Facebook's implementation doesn't enforce your privacy settings correctly, you have a right to be upset (or sue). But if you change your mind - or cancel your Facebook account - what happens to content that you've granted Facebook the right to share with other Facebook users? Here are two alternatives:

1) Grant Facebook rights subject what you ever posted to your Wall or someone else's Wall subject to your privacy settings which you can change at any time. This require Facebook to restrict future access to whatever you have posted or shared directly or indirectly with others using Facebook when you subsequently change your mind or leave Facebook and cancel your account (e.g. Ted Nelson style enforcable “transcopyright”).

2) Grant Facebook rights to use copies of your content (the copyrighted email message model) that you post to your Wall or someone else’s Wall directly or using a third party’s Facebook API. You arguably have a legal right to restrict future use of copyrighted content distributed to others via third parties, but don’t have a practical way to retract content that has been copied and stored outside Facebook’s direct control.

Zuckerberg argues that the content of your Wall might disappear or be restricted based on your privacy settings (or disappear if you cancel your account), but whatever you've posted to someone else's Wall might be retained by Facebook - and deleted or restricted by the owner of that Wall. This may or may not be what you want - and not how I read what Facebook's promised to do in Mondays (retracted) revised terms:

"You are solely responsible for the User Content that you Post on or through the Facebook Service. You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof. You represent and warrant that you have all rights and permissions to grant the foregoing licenses."

My reading of this was a promise to respect an individuals privacy settings for whatever that individual posted to their own Wall or anyone else's Wall - directly or indirectly - in exchange for rights to copy distribute that content. If so, Facebook is setting a pretty high bar for what they have to implement.

I read Monday's version as a promise to track sharing rules based on Facebook privacy settings as you may change them over time. If so, it looks like developers who use the Facebook API need to reference the current value of per user privacy settings that are authoritatively maintained by the Facebook platform. Not a bad position for Facebook as the gatekeeper for all runtime access - but not easy to craft an agreement that “make sense”, is broad enough to protect Facebook, matches what they actually implement, and can be enforced on their Facebook API developers who also need access to user content.

For a good example, see Nicolas Kolakowski's Feb 20, 2009 eWeek story Facebook Launches Social Widget for Facebook Connect :

"Facebook Connect allows users to sign on to other sites and blogs using their Facebook account information. Comments Box would allow these users to post comments on not only the outside Web site, but also their Facebook profiles, where they could be shared with other subscribers." -

When you close your Facebook account or decide to restrict access to a comment posted within Facebook, what do you expect to happen to the same comment posted to the outside site? Would you expect to be able to retract your comment on the outside site (not a common expectation)? How would you craft a legal agreement to meet "reasonable" expectations that Facebook and sites that use their API promise to obey and enforce?
February 22, 2009 | # | Greg Lloyd

For comparison, Traction TeamPage uses run-time transclusion with permission checking to grant or deny access to to posts, pages, comment and tags (as well as what you can see by navigating, searching, Jabber or email notification and RSS/Atom feeds).

The TeamPage model uses permissions attached to the content of specific work spaces rather than individuals, but allows private comments in one space (e.g. the Support project) to be added to any paragraph of a more public space (e.g. a customer Forum), and shown only if the reader has permission to read the top level entry and the spaces(s) in which comments on that entry are posted.

This makes it easy add or remove a person from the access list of the Support project, and instantly change the page content, comments, tag clouds and search results that person can see.

See Borders, Spaces, and Places
Reinventing the Web
Enterprise 2.0 - Letting hypertext out of its box

Page Top