Okay, maybe I’m being a bit sarcastic with the title.  But according to a recent article and study (i.e., the Sophos Security Threat Report), spam, phishing, and malware attacks on social networking sites doubled from 2009 to 2010.  Not surprisingly, identity theft and third party use of personal information were primary goals of cybercriminals.

This is hardly shocking and it wouldn’t be surprising if these numbers doubled again from 2010 to 2011 given the increasing importance of social media—for better or worse—in our personal and business lives.  But what do people really expect?  Criminals go where the people are and when Facebook has 600 million users, that’s a big crowd to fleece.  And criminals can do so in the comfort of their own homes and in foreign countries knowing full well that their chances of getting nabbed are about as likely as Apple stopping production of the iPhone.  What do they really have to lose?

Not surprisingly according to the article, users want sites like Facebook to take stronger security measures.  And while sites can certainly do so in some instances voluntarily, it may take a court ruling (as it often does) to force a company to implement more substantive protections. But first you have to get past those nasty contractual disclaimers that we lawyers put into practically all user agreements about not holding the site liable for almost anything that happens on it:  “Identity theft be damned—so sorry, but it’s just not our problem!” 

Remember when you clicked “I AGREE” on that user agreement?  You can be sure Facebook does, because that’s an enforceable contract in most instances.  (No need to thank us, by the way—the public’s opinion of lawyers is thanks enough!)  Very tough to challenge, but not impossible if the right facts present themselves.  Combined with the right judge, of course.  Sometimes the lottery’s easier to win though.

The fact is that while social media sites have to do more, especially those that operate on the massive scale Facebook does, we have ourselves to blame also.  How much personal information do we really need to disclose about ourselves?  I’ve always believed that less is usually more, but perhaps because I’m over 40 (which is 95 in cyberyears), many young ’uns believe that more is more.  And that even more is still not enough.  I forget:  Does TMI stand for “Too Much Information” or “Too Many Idiots” when we  ”overshare?”  Because cybercriminals count on both meanings to do their dirty work.

Do we really need to tell everyone when we won’t be home, thereby inadvertently notifying criminals when the best time to rob us is?  Or are we so egotistical that we have to “friend” a ton of people so we can brag about how big our network is, only to unwittingly let in unsavory characters? Or to post a lot of personal details until the inevitable privacy breach thereby exposing all of that information to the world—and to sophisticated criminals who can then make use of it in all sorts of ways that decent law-abiding people have never thought of.

I often wonder where the proper practical balance is.  Because if you’re expecting the law to catch up to address some of these informational privacy and security issues, we’ll be on Web 5.0 at that point … and on Cybercriminal 7.0.  And do you really want to be the “test case” anyway?

You’ve probably heard by now about the change that Facebook made to its Terms-of-Service (“TOS”) policy last week regarding the company’s “perpetual use” of a user’s information even after the user terminates his/her Facebook account.  It prompted an outcry, with many users threatening to quit the service.  Facebook has now done a complete about-face and announced, for the time being at least, that the old TOS was going to be reinstituted while the company resolves “the issues that people have raised.”

The change focused upon the license provision of the TOS.  Facebook deleted a sentence from its old policy that the company could not claim any rights to a user’s content once that person’s account was closed.  Instead, the company replaced it with other language giving it the right to store and retain copies of a user’s content indefinitely.  It must have been a slow news day, because this really shouldn’t have created the firestorm that it did.

First, at no time did Facebook exercise any actual ownership claims over its users’ content.  It never did.  Copyright remained with the user, where it’s always been.  So people need to relax.  Some of the articles and blog postings that I’ve seen are trying to read much more into this change then there really is (or was). 

Also, even under its broad license provision—which is hardly unusual—people need to be a bit more realistic about their own content.  Facebook simply has no interest in using the picture of you and your German Shepherd playing together on the lawn or in the song you strummed on your guitar one night for your friends.  To put it bluntly:  Get over yourself.

In many ways, this is a tempest in a teapot.  However, when you’re the biggest social networking site at the moment and are growing by about 4 to 5 million users per week, even small changes to a TOS can take on a life of their own.  Mark Zuckerberg, Facebook’s CEO, characterized the reason for the change this way:

One of the questions about our new terms of use is whether Facebook can use this information forever. When a person shares something like a message with a friend, two copies of that information are created—one in the person’s sent messages box and the other in their friend’s inbox. Even if the person deactivates their account, their friend still has a copy of that message. We think this is the right way for Facebook to work, and it is consistent with how other services like email work. One of the reasons we updated our terms was to make this more clear.

In reality, we wouldn’t share your information in a way you wouldn’t want. The trust you place in us as a safe place to share information is the most important part of what makes Facebook work. Our goal is to build great products and to communicate clearly to help people share more information in this trusted environment.

Facebook’s position is not unreasonable.  While users are perhaps rightly concerned that this seemingly small TOS change could have a far greater impact then intended, let’s not go too crazy with anti-Facebook sentiment just yet.  I’m all for privacy and protecting people’s personal information—it’s a continuing theme throughout this blog.  It’s an important issue and people should be concerned.

But does anyone seriously think that if Facebook did something stupid—such as taking an expired user’s picture or other content and using it in an advertisement—the backlash against it wouldn’t be swift and severe?  While the company would be able to point to its TOS claiming that it had the right to do what it did, it would still become a public relations fiasco, with prominent bloggers leading the “I told you so” charge and the refrain, “just because you have the right to do something doesn’t mean you should.”  Facebook obviously understands that.

While the company has achieved critical mass and its 175 million users gives Facebook considerable muscle at the moment, internet users are a fickle bunch.  The next social networking site is only an e-mail address and password away.  And if that site were to offer comparable or better services and a more user-friendly TOS that gives its users more control over their content, word would spread as only word can on the internet.  Every internet business is acutely aware that its next competitor may be a garage or college dorm room away.  So Facebook will be cautious in what it does, as its reversion back to the old TOS demonstrates.

Zuckerberg also correctly notes that these issues are “difficult terrain to navigate and we’re going to make some missteps.”  As a technology lawyer, I can attest that they are indeed difficult issues to address and require a great deal of thought.  So while this may have been a bit of a misstep from a public relations perspective, it’s also a “sensible” one given some of the concerns that the company has.  While Facebook is going to slow the TOS amendment process down somewhat, it will still move forward.  It will be evolutionary, not revolutionary. 

As an attorney who both drafts and litigates TOS policies, there are some practical lessons to be learned here.  At the very outset of a website’s inception, I often—but not always—tell my clients to go for the broadest possible content license from its users when the TOS is first posted, unless there are reasons against it (which there sometimes are depending upon the type of entity that is collecting the content and the type of content being collected).  Better to have it and not need it, than to need it and not have it.

This way, users know at the very outset (or at least are given the opportunity to know) what licensed rights the company has in their content.  Based upon all of the TOSs that I’ve drafted through the years, I’ve found that in many instances it’s only after a site catches-on and becomes popular that people start to pay really close attention to how they’re content is being used.  And the site may never catch-on so it may never become an issue.  Also, as a general matter, few users read a TOS when it’s first posted anyway.  And since so many sites use them, there tends to be ”TOS fatigue.”  They don’t exactly make for a stimulating read no matter how plainly they’re written.

It’s only later when a company announces its inevitable changes to the TOS that users then pore over the language—which is what happened to Facebook.  If after the site has been up-and-running, a company wants to restrict what it does with a user’s information, i.e., disseminate or use it less broadly than originally intended, few users would raise an eyebrow.  After all, people don’t often complain that a company isn’t using their personal information broadly enough.  How would users even know?  If the TOS is drafted properly, the company would have the right to use as little information as it wants anyway.  It’s the broader uses that get a company into trouble. 

While I realize that this is much easier said than done and that a company may not really know what it needs when it first starts doing business (Facebook, after all, started out as a site while Zuckerberg was at Harvard), I prefer to err on the side of caution and ask for broad user license rights that a company may never need, as opposed to too few rights and then run the very real risk of alienating users if the company needs to ask them for more.  At that point, everyone is paying attention.  But it depends on many factors and can be a bit of a “balancing test.”  So if you’re in the process now of putting together your site, develop the TOS carefully and think it through.

Perhaps that’s the plus side from the Facebook story.  People are indeed paying attention to these issues more and more.  So companies do need to be careful.  All it takes is one blog post and . . . .