You’ve probably heard by now about the change that Facebook made to its Terms-of-Service (”TOS”) policy last week regarding the company’s “perpetual use” of a user’s information even after the user terminates his/her Facebook account.  It prompted an outcry, with many users threatening to quit the service.  Facebook has now done a complete about-face and announced, for the time being at least, that the old TOS was going to be reinstituted while the company resolves “the issues that people have raised.”

The change focused upon the license provision of the TOS.  Facebook deleted a sentence from its old policy that the company could not claim any rights to a user’s content once that person’s account was closed.  Instead, the company replaced it with other language giving it the right to store and retain copies of a user’s content indefinitely.  It must have been a slow news day, because this really shouldn’t have created the firestorm that it did.

First, at no time did Facebook exercise any actual ownership claims over its users’ content.  It never did.  Copyright remained with the user, where it’s always been.  So people need to relax.  Some of the articles and blog postings that I’ve seen are trying to read much more into this change then there really is (or was). 

Also, even under its broad license provision—which is hardly unusual—people need to be a bit more realistic about their own content.  Facebook simply has no interest in using the picture of you and your German Shepherd playing together on the lawn or in the song you strummed on your guitar one night for your friends.  To put it bluntly:  Get over yourself.

In many ways, this is a tempest in a teapot.  However, when you’re the biggest social networking site at the moment and are growing by about 4 to 5 million users per week, even small changes to a TOS can take on a life of their own.  Mark Zuckerberg, Facebook’s CEO, characterized the reason for the change this way:

One of the questions about our new terms of use is whether Facebook can use this information forever. When a person shares something like a message with a friend, two copies of that information are created—one in the person’s sent messages box and the other in their friend’s inbox. Even if the person deactivates their account, their friend still has a copy of that message. We think this is the right way for Facebook to work, and it is consistent with how other services like email work. One of the reasons we updated our terms was to make this more clear.

In reality, we wouldn’t share your information in a way you wouldn’t want. The trust you place in us as a safe place to share information is the most important part of what makes Facebook work. Our goal is to build great products and to communicate clearly to help people share more information in this trusted environment.

Facebook’s position is not unreasonable.  While users are perhaps rightly concerned that this seemingly small TOS change could have a far greater impact then intended, let’s not go too crazy with anti-Facebook sentiment just yet.  I’m all for privacy and protecting people’s personal information—it’s a continuing theme throughout this blog.  It’s an important issue and people should be concerned.

But does anyone seriously think that if Facebook did something stupid—such as taking an expired user’s picture or other content and using it in an advertisement—the backlash against it wouldn’t be swift and severe?  While the company would be able to point to its TOS claiming that it had the right to do what it did, it would still become a public relations fiasco, with prominent bloggers leading the “I told you so” charge and the refrain, “just because you have the right to do something doesn’t mean you should.”  Facebook obviously understands that.

While the company has achieved critical mass and its 175 million users gives Facebook considerable muscle at the moment, internet users are a fickle bunch.  The next social networking site is only an e-mail address and password away.  And if that site were to offer comparable or better services and a more user-friendly TOS that gives its users more control over their content, word would spread as only word can on the internet.  Every internet business is acutely aware that its next competitor may be a garage or college dorm room away.  So Facebook will be cautious in what it does, as its reversion back to the old TOS demonstrates.

Zuckerberg also correctly notes that these issues are “difficult terrain to navigate and we’re going to make some missteps.”  As a technology lawyer, I can attest that they are indeed difficult issues to address and require a great deal of thought.  So while this may have been a bit of a misstep from a public relations perspective, it’s also a “sensible” one given some of the concerns that the company has.  While Facebook is going to slow the TOS amendment process down somewhat, it will still move forward.  It will be evolutionary, not revolutionary. 

As an attorney who both drafts and litigates TOS policies, there are some practical lessons to be learned here.  At the very outset of a website’s inception, I often—but not always—tell my clients to go for the broadest possible content license from its users when the TOS is first posted, unless there are reasons against it (which there sometimes are depending upon the type of entity that is collecting the content and the type of content being collected).  Better to have it and not need it, than to need it and not have it.

This way, users know at the very outset (or at least are given the opportunity to know) what licensed rights the company has in their content.  Based upon all of the TOSs that I’ve drafted through the years, I’ve found that in many instances it’s only after a site catches-on and becomes popular that people start to pay really close attention to how they’re content is being used.  And the site may never catch-on so it may never become an issue.  Also, as a general matter, few users read a TOS when it’s first posted anyway.  And since so many sites use them, there tends to be ”TOS fatigue.”  They don’t exactly make for a stimulating read no matter how plainly they’re written.

It’s only later when a company announces its inevitable changes to the TOS that users then pore over the language—which is what happened to Facebook.  If after the site has been up-and-running, a company wants to restrict what it does with a user’s information, i.e., disseminate or use it less broadly than originally intended, few users would raise an eyebrow.  After all, people don’t often complain that a company isn’t using their personal information broadly enough.  How would users even know?  If the TOS is drafted properly, the company would have the right to use as little information as it wants anyway.  It’s the broader uses that get a company into trouble. 

While I realize that this is much easier said than done and that a company may not really know what it needs when it first starts doing business (Facebook, after all, started out as a site while Zuckerberg was at Harvard), I prefer to err on the side of caution and ask for broad user license rights that a company may never need, as opposed to too few rights and then run the very real risk of alienating users if the company needs to ask them for more.  At that point, everyone is paying attention.  But it depends on many factors and can be a bit of a “balancing test.”  So if you’re in the process now of putting together your site, develop the TOS carefully and think it through.

Perhaps that’s the plus side from the Facebook story.  People are indeed paying attention to these issues more and more.  So companies do need to be careful.  All it takes is one blog post and . . . .

Does the flood of information ever end?  Do we have to know everything about everyone—in real time?  While location-tracking software is not new (well, not too new, anyway), Google’s expected move into this market only further reinforces Scott McNealy’s eerily prophetic saying, “You have zero privacy anyway.  Get over it.”  But now when you “get over it,” all of your friends will be able to see exactly where you were and when.

Google just launched its Latitude software that lets mobile phone users share their mapped location with their network of contacts—if they so choose.  This is nothing new, per se, given the existence of other companies such as Loopt, BrightKite, and Dopplr (for example), as well as most people’s familiarity with GPS, but Google’s entry into the marketplace provides further evidence that the technology is becoming even more widespread.  Maybe too much so.  But when the 800 pound gorilla talks, everyone listens.

According to the article, Google “hopes it will help people find each other while out and about and keep track of loved ones.”  Those are helpful and noble intentions.  What parents wouldn’t want to know where their teenagers are?  Or be able to direct a lost friend to your precise location?  But hope is a fickle thing.  And what Google hopes for and how Latitude will actually be used are two entirely different things.  We all know what the road to hell is paved with.  Lawyers make their living off of it (more on that in a moment).

Google requires that people expressly sign-up for the service and gives them the opportunity to tailor their preferences as to who they can share their location with, as well as the type of information shared.  While that gives the user some degree of control, it’s probably only a matter of time before a bored 16 year-old in hacks into the system and tracks people. 

Even if this doesn’t occur anytime soon, a disgruntled ex-husband may be able to track his ex-wife who forgot to take him out of her “network.”  While entire companies have sprung-up offering this type of GPS-based (and typically illegal) service, now a person can do so without any special equipment whatsoever.  Just a little bit of software and a forgetful spouse.  It goes without saying that stalking is a very real problem in this digital age and tools that used to be available only to law enforcement are becoming increasingly more common.

The fact that such software is even available is part of the larger privacy debate that will be with us for quite some time.  There are no easy answers in a society that never seems to have enough information about others.  Yet from a litigation perspective, few people may realize that all of this location data is stored by a provider for varying degrees of time and subject to subpoena and disclosure in the proper circumstances. 

Thus, in criminal or civil cases where a person’s time and location is an issue, it provides yet one more tool for lawyers to pursue when representing their clients.  Just ask those divorce attorneys in Massachusetts and elsewhere about getting all of that “E-Z Pass” toll information to discover cheating spouses.  Modern convenience has its costs.

So the age old Perry Mason question, “Where were you on February 4, 2009?” now becomes, “Why were you on the corner of 53rd and 7th Avenue at 3:12 p.m. on February 4, 2009?”  And while it may—may—help lawyers such as myself get to the truth faster in a courtroom, the human part of me (and yes, that still exists) finds it it to be unsettling.  So bad grammar aside, the question, ”Where you at?” now becomes, “Why you there?”  Ah technology . . . .

Kudos to the New Jersey Supreme Court.  Last week, the court ruled that ISPs can’t release personal information about their New Jersey users without a valid subpoena.  The court, in a unanimous 7-0 ruling, found that the New Jersey Constitution gives its residents greater protection against unreasonable searches than the U.S. Constitution does.  In the case before the court, the court ruled that the police were required to first obtain a grand jury subpoena before learning a woman’s identity from an ISP.  Her ISP apparently released this information at the request of the police. 

This is an important decision.  First, the New Jersey Supreme Court is one of the more highly regarded state courts in the United States.  Other state courts wrestling with these types of issues will undoubtedly look to see how the New Jersey court decided this case.  Second, it illustrates the continued rise of “state constitutionalism.”  People typically don’t realize that the federal constitution sets a “floor” on a person’s constitutional rights, not a “ceiling.”  In other words, a state court can’t rule that its state’s constitution gives less protection than the federal one does, but can find that the state constitution gives more—at least to its own residents.

Given the perception that the U.S. Supreme Court is less friendly (and somewhat hostile) to privacy rights—especially when it comes to the rights of law enforcement to obtain personal data in these post-9/11 times—combined with the continued paralysis in Congress over individual privacy rights, a ruling from a state’s highest court on issues such as this serves as an implicit rebuke at the lack of leadership at the federal level.  While it’s only one state so far that has now recognized a reasonable expectation of privacy for internet users, it’s got to start somewhere.  Let’s hope other states follow suit.  

     In yet another invasion of privacy couched in the rhetoric of “but the consumer will benefit!” comes this story from the Washington Post.  Apparently, a small but growing number of ISPs are monitoring their users’ every click and keystroke.  The ISPs then harvest the data to determine a user’s interests and preferences and provide it to advertisers who make highly targeted pitches to the user.  I can see the pitch now:  “We’ve noticed that you’ve typed in the word “hemorrhoids” 12 times, searched Google 3 times, and visited 9 sites.  Here’s a coupon to try Preparation H for free.  It will stop the itch!”

      This monitoring is known as “deep-packet inspection” and it divides every aspect of a user’s data into packets that an ISP can analyze for content.   First, as a general matter, whenever I see anything with the words “deep” and “inspection” in a title, I get somewhat concerned without even having to read any further (similar to how the FBI first named its now infamous packet-sniffing software ”Carnivore,” but later changed it to the more benign-sounding “DCS1000″).  From a more substantive perspective, however, it represents a considerable escalation of an ISP’s ability to monitor its users.  Barring any legislative or regulatory action, it won’t be long until all ISPs engage in this practice.  According to the article, only 100,000 users are affected at the moment.

     As usual, the ISPs gain their users’ consent by burying the monitoring in their lengthy customer service agreements.  According to the article, one ISP—Knology—has a 27 page agreement and only makes vague reference to the system.  Few people actually have the time and energy to read them, and those that do will not necessarily understand them anyway.  The lawyers that draft them are not exactly known for their clarity, especially when it comes to a controversial subject such as this.  In fact, according to one Knology executive, there’s no violation of privacy at all.

     The article is silent as to how long an ISP actually retains all of this information, but presumably can retain it indefinitely.  And even if it doesn’t, once the information is disclosed and sold to advertisers, copies of it could continue to reside in cyberspace even if the ISP purges its records.  The article is also silent as to how such information could easily be disclosed to law enforcement or to parties involved in civil litigation.  So the march towards “zero privacy” continues. <sigh>