You’ve probably heard by now about the change that Facebook made to its Terms-of-Service (“TOS”) policy last week regarding the company’s “perpetual use” of a user’s information even after the user terminates his/her Facebook account.  It prompted an outcry, with many users threatening to quit the service.  Facebook has now done a complete about-face and announced, for the time being at least, that the old TOS was going to be reinstituted while the company resolves “the issues that people have raised.”

The change focused upon the license provision of the TOS.  Facebook deleted a sentence from its old policy that the company could not claim any rights to a user’s content once that person’s account was closed.  Instead, the company replaced it with other language giving it the right to store and retain copies of a user’s content indefinitely.  It must have been a slow news day, because this really shouldn’t have created the firestorm that it did.

First, at no time did Facebook exercise any actual ownership claims over its users’ content.  It never did.  Copyright remained with the user, where it’s always been.  So people need to relax.  Some of the articles and blog postings that I’ve seen are trying to read much more into this change then there really is (or was). 

Also, even under its broad license provision—which is hardly unusual—people need to be a bit more realistic about their own content.  Facebook simply has no interest in using the picture of you and your German Shepherd playing together on the lawn or in the song you strummed on your guitar one night for your friends.  To put it bluntly:  Get over yourself.

In many ways, this is a tempest in a teapot.  However, when you’re the biggest social networking site at the moment and are growing by about 4 to 5 million users per week, even small changes to a TOS can take on a life of their own.  Mark Zuckerberg, Facebook’s CEO, characterized the reason for the change this way:

One of the questions about our new terms of use is whether Facebook can use this information forever. When a person shares something like a message with a friend, two copies of that information are created—one in the person’s sent messages box and the other in their friend’s inbox. Even if the person deactivates their account, their friend still has a copy of that message. We think this is the right way for Facebook to work, and it is consistent with how other services like email work. One of the reasons we updated our terms was to make this more clear.

In reality, we wouldn’t share your information in a way you wouldn’t want. The trust you place in us as a safe place to share information is the most important part of what makes Facebook work. Our goal is to build great products and to communicate clearly to help people share more information in this trusted environment.

Facebook’s position is not unreasonable.  While users are perhaps rightly concerned that this seemingly small TOS change could have a far greater impact then intended, let’s not go too crazy with anti-Facebook sentiment just yet.  I’m all for privacy and protecting people’s personal information—it’s a continuing theme throughout this blog.  It’s an important issue and people should be concerned.

But does anyone seriously think that if Facebook did something stupid—such as taking an expired user’s picture or other content and using it in an advertisement—the backlash against it wouldn’t be swift and severe?  While the company would be able to point to its TOS claiming that it had the right to do what it did, it would still become a public relations fiasco, with prominent bloggers leading the “I told you so” charge and the refrain, “just because you have the right to do something doesn’t mean you should.”  Facebook obviously understands that.

While the company has achieved critical mass and its 175 million users gives Facebook considerable muscle at the moment, internet users are a fickle bunch.  The next social networking site is only an e-mail address and password away.  And if that site were to offer comparable or better services and a more user-friendly TOS that gives its users more control over their content, word would spread as only word can on the internet.  Every internet business is acutely aware that its next competitor may be a garage or college dorm room away.  So Facebook will be cautious in what it does, as its reversion back to the old TOS demonstrates.

Zuckerberg also correctly notes that these issues are “difficult terrain to navigate and we’re going to make some missteps.”  As a technology lawyer, I can attest that they are indeed difficult issues to address and require a great deal of thought.  So while this may have been a bit of a misstep from a public relations perspective, it’s also a “sensible” one given some of the concerns that the company has.  While Facebook is going to slow the TOS amendment process down somewhat, it will still move forward.  It will be evolutionary, not revolutionary. 

As an attorney who both drafts and litigates TOS policies, there are some practical lessons to be learned here.  At the very outset of a website’s inception, I often—but not always—tell my clients to go for the broadest possible content license from its users when the TOS is first posted, unless there are reasons against it (which there sometimes are depending upon the type of entity that is collecting the content and the type of content being collected).  Better to have it and not need it, than to need it and not have it.

This way, users know at the very outset (or at least are given the opportunity to know) what licensed rights the company has in their content.  Based upon all of the TOSs that I’ve drafted through the years, I’ve found that in many instances it’s only after a site catches-on and becomes popular that people start to pay really close attention to how they’re content is being used.  And the site may never catch-on so it may never become an issue.  Also, as a general matter, few users read a TOS when it’s first posted anyway.  And since so many sites use them, there tends to be ”TOS fatigue.”  They don’t exactly make for a stimulating read no matter how plainly they’re written.

It’s only later when a company announces its inevitable changes to the TOS that users then pore over the language—which is what happened to Facebook.  If after the site has been up-and-running, a company wants to restrict what it does with a user’s information, i.e., disseminate or use it less broadly than originally intended, few users would raise an eyebrow.  After all, people don’t often complain that a company isn’t using their personal information broadly enough.  How would users even know?  If the TOS is drafted properly, the company would have the right to use as little information as it wants anyway.  It’s the broader uses that get a company into trouble. 

While I realize that this is much easier said than done and that a company may not really know what it needs when it first starts doing business (Facebook, after all, started out as a site while Zuckerberg was at Harvard), I prefer to err on the side of caution and ask for broad user license rights that a company may never need, as opposed to too few rights and then run the very real risk of alienating users if the company needs to ask them for more.  At that point, everyone is paying attention.  But it depends on many factors and can be a bit of a “balancing test.”  So if you’re in the process now of putting together your site, develop the TOS carefully and think it through.

Perhaps that’s the plus side from the Facebook story.  People are indeed paying attention to these issues more and more.  So companies do need to be careful.  All it takes is one blog post and . . . .

I know advertisers are constantly looking to determine how effective their ads are, but this story is just creepy.  Not necessarily for what it is at the moment—which seems harmless—but for what it can (and will) lead to in the not-too-distant future.  It seems that advertisers, in their never-ending quest to gather as much information as they can about you to supposedly better target your preferences, have now started to embed cameras in video screens that display advertisements.  These cameras watch you as you watch the ad.

The cameras can apparently determine—with a fair degree of accuracy—the person’s gender, approximate age range, and ethnicity (in some cases).  As a result, the advertisements can tailor themselves to the person viewing them.  Thus, according to the article, men could see ads for razors, women could view cosmetics ads, and teens could check-out the latest video game advertisements. 

The advertising industry hasn’t quite decided what to call these ads yet, but early contenders include such terms as “smart ads,” ”proactive merchandising,” “gaze tracking,” or the lengthier “face-based audience measurement.”  Sounds innocuous, doesn’t it? The article is quick to point out that the technology doesn’t identify people individually, but only the categories mentioned above. 

So it’s far from perfect.  For now.  But does anyone truly think that it won’t be vastly improved in the future?  Advanced face-tracking technology is already used by various government agencies and security companies.  How long do you think it will be until these types of ads can identify people individually, correlate and aggregate the information, and then engage in “hyper-targeting” (for lack of a better word)?

Imagine staring at an advertisement for Ex-Lax at a local mall for a few seconds only to return home and find a $5.00 off coupon waiting for you in your e-mail.  Or how about ads from Ex-Lax’s competitors, with the heading, “Constipated”?  Or better yet, how about if it’s sent directly to your cell phone or PDA, especially when you walk past a drugstore?  There’s nothing like instant gratification these days. 

Think it won’t happen?  It’s only a matter of time.  Of course, Congress or the states can step in and try to outlaw these eventual types of advertising practices (which will hopefully withstand First Amendment challenges), but there’s no indication that they will—especially given the considerable strength of the advertising lobby.  

Advertisers will undoubtedly claim that such methods will allow them to tailor their message to people who not only want their products, but need them.  I can see the pitch to Congress now during the hearings:  “Our methods allow us to deliver specifically-targeted content to consumers who will not only benefit from use of our product, but will also be given the opportunity to derive savings and . . .” blah, blah, blah.  Remember, the business of America is business, and advertising is the great facilitator of that.

And of course, the issue is never just the collection and aggregation of the data, but what happens to it, who can see it, how it’s used, under what circumstances it can be disclosed, and all of those other pesky policy questions that relate to giving an individual some semblance of control over their personal lives.  Just don’t expect any help from the advertisers.  

A common theme in my blog is that there’s just too much damned information out there about people and the various privacy concerns that it raises.  Of course, it’s hard to point the finger when people themselves foolishly contribute to the daily onslaught of information.  Facebook, like many other social networking sites, has become a clearinghouse for stupidity over the past few years and it seems like there’s no end in sight.

Take the case of Betsy Ramsdale, a teacher in Wisconisn.  It seems that Ramsdale couldn’t resist the urge of taking a picture of herself pointing a gun at the camera.  Kids, make sure you get your homework in on time!  (And no mistakes!) 

While it doesn’t appear that there was any malicious intent on her part, you have to wonder in this age of school shootings what she could have possibly been thinking.  She’s been a teacher for over a decade.  Ramsdale was placed on administrative leave while the school investigates.

This is just another cautionary Facebook tale.  There will be many others in the not-too-distant future.  If you must include potentially controversial or questionable pictures in your Facebook profile, it’s best to keep your profile private and only share it with friends you know and trust. 

Of course, there’s still no guarantee that even controversial photographs won’t be disseminated outside your network.  All it takes is one friend with a “you-gotta-see-this” mentality who sends it to somebody else and the next thing you know, it’s a news story.  So, when in doubt, just leave it out!

Does the flood of information ever end?  Do we have to know everything about everyone—in real time?  While location-tracking software is not new (well, not too new, anyway), Google’s expected move into this market only further reinforces Scott McNealy’s eerily prophetic saying, “You have zero privacy anyway.  Get over it.”  But now when you “get over it,” all of your friends will be able to see exactly where you were and when.

Google just launched its Latitude software that lets mobile phone users share their mapped location with their network of contacts—if they so choose.  This is nothing new, per se, given the existence of other companies such as Loopt, BrightKite, and Dopplr (for example), as well as most people’s familiarity with GPS, but Google’s entry into the marketplace provides further evidence that the technology is becoming even more widespread.  Maybe too much so.  But when the 800 pound gorilla talks, everyone listens.

According to the article, Google “hopes it will help people find each other while out and about and keep track of loved ones.”  Those are helpful and noble intentions.  What parents wouldn’t want to know where their teenagers are?  Or be able to direct a lost friend to your precise location?  But hope is a fickle thing.  And what Google hopes for and how Latitude will actually be used are two entirely different things.  We all know what the road to hell is paved with.  Lawyers make their living off of it (more on that in a moment).

Google requires that people expressly sign-up for the service and gives them the opportunity to tailor their preferences as to who they can share their location with, as well as the type of information shared.  While that gives the user some degree of control, it’s probably only a matter of time before a bored 16 year-old in hacks into the system and tracks people. 

Even if this doesn’t occur anytime soon, a disgruntled ex-husband may be able to track his ex-wife who forgot to take him out of her “network.”  While entire companies have sprung-up offering this type of GPS-based (and typically illegal) service, now a person can do so without any special equipment whatsoever.  Just a little bit of software and a forgetful spouse.  It goes without saying that stalking is a very real problem in this digital age and tools that used to be available only to law enforcement are becoming increasingly more common.

The fact that such software is even available is part of the larger privacy debate that will be with us for quite some time.  There are no easy answers in a society that never seems to have enough information about others.  Yet from a litigation perspective, few people may realize that all of this location data is stored by a provider for varying degrees of time and subject to subpoena and disclosure in the proper circumstances. 

Thus, in criminal or civil cases where a person’s time and location is an issue, it provides yet one more tool for lawyers to pursue when representing their clients.  Just ask those divorce attorneys in Massachusetts and elsewhere about getting all of that “E-Z Pass” toll information to discover cheating spouses.  Modern convenience has its costs.

So the age old Perry Mason question, “Where were you on February 4, 2009?” now becomes, “Why were you on the corner of 53rd and 7th Avenue at 3:12 p.m. on February 4, 2009?”  And while it may—may—help lawyers such as myself get to the truth faster in a courtroom, the human part of me (and yes, that still exists) finds it it to be unsettling.  So bad grammar aside, the question, ”Where you at?” now becomes, “Why you there?”  Ah technology . . . .

It may be due to a difficult job market.  Or perhaps it’s just a sign of the times.  According to one article, however, 83% of recruiters now search the internet for “digital dirt” in order to weed out prospective job candidates.  Thus, inappropriate Facebook photos, unbecoming MySpace profiles, vituperative message board postings, controversial political statements, publicly available criminal records, or any other questionable information are helping recruiters eliminate otherwise promising candidates from available positions.   

But it’s not just recruiters who are doing this.  More and more companies—both large and small—are either doing their own in-house searches or subcontracting them out to investigators who do them quickly and inexpensively.  Employers are all too aware that the costliest and most expensive decisions they make have to do with hiring the “right” people.  And the flood of information out there helps them in their decision-making process. 

And it’s perfectly legal.  If you voluntarily provide information and pictures for others to see, you can’t complain if it doesn’t always garner the results you want.  Of course, if a potential employer hacks into a system or uses a password without authorization to compile its profile on you, then you may have legal recourse (assuming that you ever find out about it).  You won’t have the job, but you’ll have the chance to bring an expensive and time-consuming lawsuit. 

So, as I mentioned in my last posting, be careful in general, but especially if you’re unemployed and looking for work (or will be facing that prospect shortly).  If you have any doubts about posting something, this in itself should tell you that perhaps it’s better to resist the urge.  Remember:  When in doubt, keep it out! 

According to a new survey by Forrester Research, 41% of large companies (those having at least 20,000 employees) either read or analyze the contents of outbound e-mail.  They’re either paying other employees to read them or presumably using any number of commercially available software programs to analyze them. 

44% of the companies surveyed investigated a confidential data breach involving e-mail in the past year, while 26% said they fired an employee for violating the company’s e-mail policy.  Companies also expressed concern over employees leaking information on message boards, blogs, and other electronic media.

Quite frankly, I’m surprised only 41% of large companies are doing this (although it depends on the industry).  I would have expected it to have been much higher given the daily parade of data and privacy breaches in the news.  After all, it’s large companies that have the financial and human resources to implement widescale e-mail monitoring systems.  Smaller companies may be in a much different situation.

Of course, many employers find it distasteful to engage in this type of monitoring.  It can, if not handled properly, be destructive to employee morale and have lasting effects.  Nevertheless—for better or worse—many employees are slowly coming to grips with their employers’ monitoring efforts.  It’s just becoming a fact of life. 

But the truth is, I’ve had clients whose employees have e-mailed confidential and sensitive company data.  Some workers do it without thinking about it, while others are far more malevolent in their intentions.  This is especially the case when employees leave their companies on bad or poor terms.  So it’s a very real problem for employers that has very real consequences.  Thus, like it or not, monitoring will only continue to increase. 

Bottom Line:  Be careful.  You don’t have any right to privacy when you’re at work.  So don’t think that anything you send—whether to a spouse, boyfriend, girlfriend, doctor, stockbroker, or anyone else—is private.  Even if you have to send it and it can’t wait until you get home, an employer is within its rights to read your e-mail, no matter how private the subject matter.  Of course, what it does with that information is another matter.

In today’s world, where fraud is just a mouse click away, it’s nice to know that every so often the good guys win.  Three international hackers were indicted by the Department of Justice (“DOJ”) last week for trying to steal and sell credit card information from customers of Dave & Buster’s, the popular restaurant/entertainment chain.

According to the indictment, the hackers were able to install “packet sniffers” on many of the company’s servers to copy credit card information as it traveled between restaurants and Dave & Buster’s corporate headquarters in Dallas.  The company detected the intrusion and alerted the authorities, but not before 5,000 credit/debit card numbers were stolen and sold to other criminals to make fraudulent purchases.

One of the foreign hackers was arrested in Miami.  No problem there.  The other two, however, were arrested in the Ukraine and in Germany by those countries’ authorities.  It’s certainly not a done deal yet.  The DOJ is seeking the extradition of the other two, but no word yet whether those efforts will be successful. 

While these sorts of arrests are still few and far between given the magnitude of data theft and online fraud, it’s a start.  The DOJ is obviously taking the problem seriously.  Hopefully, other countries will too and the cooperation will continue.  With any luck, if these hackers are extradited, tried, and found guilty, the court will make an example out of them. 

Talk about a slow news day.  A recent article in USA Today discusses the so-called “fine print” in ISP contracts and then concludes that it doesn’t really matter anyway.  This non-story highlights the fact that ISP contracts, which their company lawyers draft, give ISPs rights to read their subscribers’ e-mail, block their subscribers from accessing certain websites, and can terminate their subscribers for overusage of their networks.  The horror.  Imagine that?  A business that protects itself.  The shareholders will be outraged.

As an attorney who drafts these contracts, this article is much ado about nothing.  Yes, ISPs put all sorts of language into these agreements to make sure that their services are not abused by users.  But simply because an ISP has the right to read a user’s e-mail or block a user from accessing certain sites doesn’t mean that it will actually do so.  The article makes it sound inevitable.

An ISP, like every other business in America, is keenly aware of the public relations disaster that would result if it was disclosed that they routinely read their users’ e-mails, blocked access to websites, or simply terminated their users accounts due to overusage, without good cause.  They would quickly and perhaps permanently lose users as the media and blogosphere savaged them.  And as they know all too well, everything in cyberspace lives on indefinitely. 

But think of the public relations disaster that would result if it was disclosed that an ISP was aware or suspected that a user was engaging in wide scale spamming, copyright infringement, or the downloading of child pornography.  Or that certain users were hogging bandwidth to the point that other subscribers’ service was affected, while the ISP took a laissez-faire attitude?  It’s not exactly a model of corporate responsibility in these post-Sarbanes Oxley times.  The blogosphere would again be buzzing, albeit for different reasons.  You’re damned if you do, and damned if you don’t.

Furthermore, some of these clauses are economic necessities.  The RIAA has begun targeting ISPs whose users engage in massive and sustained downloading of copyrighted music through their networks.  If an ISP suspects that a user is downloading copyrighted material and does nothing, it can be held liable for contributory copyright infringement in certain instances.  But by terminating the offending user’s account, it may insulate itself from liability.  The “fine print” of the contract allows an ISP to do so.

Is an ISP contract really that different from signing a lease with a landlord?  A landlord has the right to access your apartment with or without notice and can potentially invade your privacy.  A landlord puts certain restrictions as to how its property can be used and how many people can live in it.  And a landlord can evict you under the right circumstances.  While internet access is certainly important nowadays, so is having a place to live.  Yet many tenants have rules not unlike what their ISPs impose, but don’t assume that their landlords will exercise them indiscriminately.

So the contractual provisions such as those described in the article are not necessarily a bad thing.  It all depends upon the circumstances.  If an ISP does include a provision that a court finds to be unfair or onerous, it can be struck from the contract (to say nothing of the scrutiny the ISP would get from that state’s attorney general).  So it’s not as if an ISP can do anything it wants.  While it may sound like this is a case of “ISPs gone wild,” the simple fact is that—for the moment at least—this was an article in search of a story.  But when an ISP does overreach or overreact, I’m sure we’ll hear about it somehow.

     A Pennsylvania couple recently added their names to the long list of people who have sued Google.  Aaron and Christine Boring, who own a home in Pittsburgh, have filed suit against Google after learning that their house appears on Google’s controversial “Street View” feature, which allows its users to see an actual street-level view of a particular road, including all of the homes, apartments, people, and anything else that appears on it.  The Borings claim that Google violated their privacy, devalued their property, and caused them mental distress.

      This isn’t the first time that the Street View feature has raised privacy concerns, both here or abroad, when it made its debut last year.  Still, the Borings’ suit illustrates the shape of things to come with respect to the growing conflict between privacy rights and First Amendment rights.  Expect more lawsuits like this, especially as sites like Google continually roll out more and more features to provide detailed and information-rich experiences for their users.

     By and large, there’s no expectation of privacy on a public street, so Google hasn’t broken any laws.  Anybody and their property can be photographed on a public street at any time.  And the company does provide a means by which people can submit a request that certain images be removed.  Nevertheless, it’s still a bit creepy and just because a company has the right to do something doesn’t mean that it should do it.  Unless you’re Google—who has piles and piles of money.

      Of course, the problem with suing the 800 pound gorilla is that the gorilla has the resources to fight back.  And Google isn’t exactly known for rolling over and writing large checks to make litigants go away.  But despite Google’s claim that there’s no merit to the lawsuit—a common response from the company—the Borings’ case may have some teeth to it.  It appears that Google may have trespassed onto the Borings’ property in order to take the picture.  If so, then Google may indeed be in the wrong. 

    Damages, however, are another matter.  Assuming that the Borings’ privacy was violated, it’s hard to see how a picture of their home—which has apparently since been removed by Google—has either devalued their property or caused them mental suffering (which usually has to be severe in order to be compensable).  So if there are damages here, they seem somewhat nominal in nature.  But as any trial attorney knows, when you have either a sympathetic plaintiff or,  as in this case, an unsympathetic defendant (or both),  and a potentially unpredictable jury which may have the ability to award punitive damages, discretion on Google’s part may indeed be the better part of valor.  So perhaps the case will go away quietly.  Until the next one pops up.

     After my post about privacy yesterday, it’s nice to know that there are entrepreneurs out there who seek to make sure that our government—which generally has little problem with how private industry treats and shares our personal information—is as transparent as possible when it comes to its own information.  According to a story in the Washington Post, congressional staffers are outraged by a website, LegiStorm, which posts public information about the financial affairs of senior congressional staffers.       

     Under federal law, congressional staff members who earn more than $110,000 per year are required to file disclosure forms which list, among other things, their detailed financial holdings.  Why shouldn’t such staffers be subject to almost as much scrutiny as their bosses?  If they have the ear of some of the most powerful politicians in the world and serve as their handlers and gatekeepers, it only seems fair that the voters know if their financial interests may perhaps be influencing how their bosses vote on certain issues.  (Like issues involving privacy, for example.)  We sometimes forget that behind any politician is a group of people who write these influential laws.     

     And therein lies the irony:  Congress wrote these disclosure laws to help prevent public corruption and instill a sense of confidence in our public officials.  All staffers are obviously aware of them when they took their jobs.  So disclosure doesn’t seem to be the issue—it is the law, after all—but the dissemination that’s problematic.  Oh well, welcome to the internet age.  If congressional staffers really live in that much of a bubble where they think that they’re somehow exempt from close scrutiny in these politically polarizing times, then perhaps they’re as out of touch as some of the people they advise.         

     But the staffers have some legitimate concerns as well.  Some of the documents, which have since been redacted by the site, reportedly contained social security and bank account numbers.  Given the prevalence and ease of identity theft, this information obviously has to be removed prior to posting.  And if there is an instance of identity theft that can actually be traced back to the site (which is very unlikely), the site could conceivably be held liable.  There is such a thing as being too transparent.  While I may want to know if a staff member for a senator on the Finance Committee has large holdings in Fidelity, I don’t need to know the account numbers.  And we don’t want to dissuade smart, talented, and motivated people from joining the government if every conceivable detail of their financial lives is made public and widely disseminated.  Beyond these obvious concerns, however, sites like LegiStorm may help to keep Big Brother from getting too big . . . at least for a little while.