You’ve probably heard by now about the change that Facebook made to its Terms-of-Service (”TOS”) policy last week regarding the company’s “perpetual use” of a user’s information even after the user terminates his/her Facebook account.  It prompted an outcry, with many users threatening to quit the service.  Facebook has now done a complete about-face and announced, for the time being at least, that the old TOS was going to be reinstituted while the company resolves “the issues that people have raised.”

The change focused upon the license provision of the TOS.  Facebook deleted a sentence from its old policy that the company could not claim any rights to a user’s content once that person’s account was closed.  Instead, the company replaced it with other language giving it the right to store and retain copies of a user’s content indefinitely.  It must have been a slow news day, because this really shouldn’t have created the firestorm that it did.

First, at no time did Facebook exercise any actual ownership claims over its users’ content.  It never did.  Copyright remained with the user, where it’s always been.  So people need to relax.  Some of the articles and blog postings that I’ve seen are trying to read much more into this change then there really is (or was). 

Also, even under its broad license provision—which is hardly unusual—people need to be a bit more realistic about their own content.  Facebook simply has no interest in using the picture of you and your German Shepherd playing together on the lawn or in the song you strummed on your guitar one night for your friends.  To put it bluntly:  Get over yourself.

In many ways, this is a tempest in a teapot.  However, when you’re the biggest social networking site at the moment and are growing by about 4 to 5 million users per week, even small changes to a TOS can take on a life of their own.  Mark Zuckerberg, Facebook’s CEO, characterized the reason for the change this way:

One of the questions about our new terms of use is whether Facebook can use this information forever. When a person shares something like a message with a friend, two copies of that information are created—one in the person’s sent messages box and the other in their friend’s inbox. Even if the person deactivates their account, their friend still has a copy of that message. We think this is the right way for Facebook to work, and it is consistent with how other services like email work. One of the reasons we updated our terms was to make this more clear.

In reality, we wouldn’t share your information in a way you wouldn’t want. The trust you place in us as a safe place to share information is the most important part of what makes Facebook work. Our goal is to build great products and to communicate clearly to help people share more information in this trusted environment.

Facebook’s position is not unreasonable.  While users are perhaps rightly concerned that this seemingly small TOS change could have a far greater impact then intended, let’s not go too crazy with anti-Facebook sentiment just yet.  I’m all for privacy and protecting people’s personal information—it’s a continuing theme throughout this blog.  It’s an important issue and people should be concerned.

But does anyone seriously think that if Facebook did something stupid—such as taking an expired user’s picture or other content and using it in an advertisement—the backlash against it wouldn’t be swift and severe?  While the company would be able to point to its TOS claiming that it had the right to do what it did, it would still become a public relations fiasco, with prominent bloggers leading the “I told you so” charge and the refrain, “just because you have the right to do something doesn’t mean you should.”  Facebook obviously understands that.

While the company has achieved critical mass and its 175 million users gives Facebook considerable muscle at the moment, internet users are a fickle bunch.  The next social networking site is only an e-mail address and password away.  And if that site were to offer comparable or better services and a more user-friendly TOS that gives its users more control over their content, word would spread as only word can on the internet.  Every internet business is acutely aware that its next competitor may be a garage or college dorm room away.  So Facebook will be cautious in what it does, as its reversion back to the old TOS demonstrates.

Zuckerberg also correctly notes that these issues are “difficult terrain to navigate and we’re going to make some missteps.”  As a technology lawyer, I can attest that they are indeed difficult issues to address and require a great deal of thought.  So while this may have been a bit of a misstep from a public relations perspective, it’s also a “sensible” one given some of the concerns that the company has.  While Facebook is going to slow the TOS amendment process down somewhat, it will still move forward.  It will be evolutionary, not revolutionary. 

As an attorney who both drafts and litigates TOS policies, there are some practical lessons to be learned here.  At the very outset of a website’s inception, I often—but not always—tell my clients to go for the broadest possible content license from its users when the TOS is first posted, unless there are reasons against it (which there sometimes are depending upon the type of entity that is collecting the content and the type of content being collected).  Better to have it and not need it, than to need it and not have it.

This way, users know at the very outset (or at least are given the opportunity to know) what licensed rights the company has in their content.  Based upon all of the TOSs that I’ve drafted through the years, I’ve found that in many instances it’s only after a site catches-on and becomes popular that people start to pay really close attention to how they’re content is being used.  And the site may never catch-on so it may never become an issue.  Also, as a general matter, few users read a TOS when it’s first posted anyway.  And since so many sites use them, there tends to be ”TOS fatigue.”  They don’t exactly make for a stimulating read no matter how plainly they’re written.

It’s only later when a company announces its inevitable changes to the TOS that users then pore over the language—which is what happened to Facebook.  If after the site has been up-and-running, a company wants to restrict what it does with a user’s information, i.e., disseminate or use it less broadly than originally intended, few users would raise an eyebrow.  After all, people don’t often complain that a company isn’t using their personal information broadly enough.  How would users even know?  If the TOS is drafted properly, the company would have the right to use as little information as it wants anyway.  It’s the broader uses that get a company into trouble. 

While I realize that this is much easier said than done and that a company may not really know what it needs when it first starts doing business (Facebook, after all, started out as a site while Zuckerberg was at Harvard), I prefer to err on the side of caution and ask for broad user license rights that a company may never need, as opposed to too few rights and then run the very real risk of alienating users if the company needs to ask them for more.  At that point, everyone is paying attention.  But it depends on many factors and can be a bit of a “balancing test.”  So if you’re in the process now of putting together your site, develop the TOS carefully and think it through.

Perhaps that’s the plus side from the Facebook story.  People are indeed paying attention to these issues more and more.  So companies do need to be careful.  All it takes is one blog post and . . . .

While I don’t practice criminal law, I thought this story was worth a quick mention because of its far-reaching implications for both privacy rights and criminal law.  A federal judge in Vermont has ordered a criminal defendant, Sebastien Boucher, to decrypt his hard drive so prosecutors can view the unencrypted files.  Specifically, the judge wants Boucher to type in his “PGP” password.  (”PGP” stands for “Pretty Good Privacy,” which is encryption software).

Boucher, a canadian citizen who is a permanent resident in the United States, was coming back from Canada in December of 2006 when a customs agent—without needing the password—searched his laptop and allegedly found thousands of images of adult and child pornography. 

Boucher was arrested, was given and waived his Miranda rights, and allegedly told customs agents that he might have downloaded child pornography.  His laptop was then shut down after his arrest.  It wasn’t until later when law enforcement tried to access his computer again that they learned the drive was encrypted with PGP and couldn’t be accessed without Boucher’s password.

A federal magistrate originally ruled in November of 2007 that the Fifth Amendment prevented Boucher from being forced to disclose his password.  As I’m sure most of you know, the Fifth Amendment is a cornerstone of the American criminal justice system which  provides that:  “No person . . . shall be compelled in any criminal case to be a witness against himself . . . .”  In other words, given the criminal charges against him, Boucher had a Fifth Amendment right to keep the files encrypted.

The federal district court judge overruled the magistrate and found that Boucher doesn’t have such a Fifth Amendment right.  According to the judge, Boucher “has already admitted to possession of the computer, and provided the government with access to the Z drive. The government has submitted that it can link Boucher with the files on his computer without making use of his production of an unencrypted version of the Z drive, and that it will not use his act of production as evidence of authentication.”  

This case will be appealed to the Second Circuit.  And no matter who wins there, an appeal to the Supreme Court seems likely given the importance of the issue.  As noted in the article, Homeland Security claims that it has the right to seize anyone’s laptop at the border for an indefinite period of time, so issues such as this take on special significance (although this policy is now being closely scrutinized by lawmakers, outside interest groups, and those within Homeland Security).  Stay tuned!

I know advertisers are constantly looking to determine how effective their ads are, but this story is just creepy.  Not necessarily for what it is at the moment—which seems harmless—but for what it can (and will) lead to in the not-too-distant future.  It seems that advertisers, in their never-ending quest to gather as much information as they can about you to supposedly better target your preferences, have now started to embed cameras in video screens that display advertisements.  These cameras watch you as you watch the ad.

The cameras can apparently determine—with a fair degree of accuracy—the person’s gender, approximate age range, and ethnicity (in some cases).  As a result, the advertisements can tailor themselves to the person viewing them.  Thus, according to the article, men could see ads for razors, women could view cosmetics ads, and teens could check-out the latest video game advertisements. 

The advertising industry hasn’t quite decided what to call these ads yet, but early contenders include such terms as “smart ads,” ”proactive merchandising,” “gaze tracking,” or the lengthier “face-based audience measurement.”  Sounds innocuous, doesn’t it? The article is quick to point out that the technology doesn’t identify people individually, but only the categories mentioned above. 

So it’s far from perfect.  For now.  But does anyone truly think that it won’t be vastly improved in the future?  Advanced face-tracking technology is already used by various government agencies and security companies.  How long do you think it will be until these types of ads can identify people individually, correlate and aggregate the information, and then engage in “hyper-targeting” (for lack of a better word)?

Imagine staring at an advertisement for Ex-Lax at a local mall for a few seconds only to return home and find a $5.00 off coupon waiting for you in your e-mail.  Or how about ads from Ex-Lax’s competitors, with the heading, “Constipated”?  Or better yet, how about if it’s sent directly to your cell phone or PDA, especially when you walk past a drugstore?  There’s nothing like instant gratification these days. 

Think it won’t happen?  It’s only a matter of time.  Of course, Congress or the states can step in and try to outlaw these eventual types of advertising practices (which will hopefully withstand First Amendment challenges), but there’s no indication that they will—especially given the considerable strength of the advertising lobby.  

Advertisers will undoubtedly claim that such methods will allow them to tailor their message to people who not only want their products, but need them.  I can see the pitch to Congress now during the hearings:  “Our methods allow us to deliver specifically-targeted content to consumers who will not only benefit from use of our product, but will also be given the opportunity to derive savings and . . .” blah, blah, blah.  Remember, the business of America is business, and advertising is the great facilitator of that.

And of course, the issue is never just the collection and aggregation of the data, but what happens to it, who can see it, how it’s used, under what circumstances it can be disclosed, and all of those other pesky policy questions that relate to giving an individual some semblance of control over their personal lives.  Just don’t expect any help from the advertisers.  

Ask and ye shall receive.  My January 21st post discussed some of the potential legal issues that could arise by using Twitter.  Lo and behold, one just did.  And from a Congressman no less.  And not just any Congressman, but House Minority Leader John Boehner, who also happens to be the Ranking Member of the House Intelligence Committee.

It seems that Boehner could have used some of that intelligence before he twittered his network about his secret trip to Baghdad.  As he arrived in Iraq, he sent the following “tweet” from his BlackBerry:  “Just landed in Baghdad. I believe it may be first time I’ve had bb service in Iraq.  11th trip here.”  Nothing like letting people know the time and place of where you happen to be.  It’s not like terrorists would be interes—whoops.  Nevermind.

If the Ranking Member of the House Intelligence Committee can so easily and nonchalantly disclose secret information, you can only imagine what else will be coming down the pike in the near future.  While it’s unclear if any laws were broken in this instance, it nevertheless highlights the dangers of the informal nature of Twitter that I discussed in my earlier post.  Security lapses like this are just the beginning.