Introduction

After a recent uproar over a change in Facebook’s Terms of Service, the company restored the previous Terms of Service and solicited comments on new proposed Facebook Principles (“Principles”) and Statement of Rights and Responsibilities (“Statement”).^[1] Though we appreciate Facebook creating a dialogue with its users, we have significant questions about the proposed Principles and Statement and how they will affect individual privacy:

• In all of the Principles, the wording allows enough legal wiggle room for Facebook to ignore them completely.

• In the second Principle, there is a fundamental problem: it doesn’t discuss the gathering, mining, and sharing of user data. Users need to know how third-party developers use the data accessed or collected, including how the data is used for advertising and marketing.

• With Statement 2.3, Facebook creates a huge loophole that threatens user privacy. Users retain the rights to their data; Facebook may ask only for some limited use of the data. Individuals need to know what limited use of their data they are allowing if they choose to use Facebook.

• Overall, the Statement has strong limitations on advertiser access to some data, but there still needs to be full transparency about advertising from both Facebook and third parties.

Ultimately, users must have full knowledge of and control over any and all user data collected by Facebook or by any third party using Facebook’s platform. Facebook must change its Principles and Statement to give users this knowledge and control.

Proposed Principles Allow Wiggle Room to Ignore Them Completely

First, a general problem concerning the Principles is that there is substantial use of “should.” Every instance of “should” must be stricken. “Should” implies a choice on Facebook’s part whether or not to follow these Principles. If Facebook is committed to following this Principle, and other final Principles that will be created from this company-user dialogue, then Facebook will change the wording to empower its users/members. Facebook currently proposes:

1. Freedom to Share and Connect

People should have the freedom to share whatever information they want, in any medium and any format, and have the right to connect online with anyone – any person, organization or service – as long as they both consent to the connection.

Instead, Facebook should change the wording to say, “People have the freedom …” This would ensure Facebook would follow the Principles and not allow the company to use them as public relations camouflage while retaining legal wiggle room to ignore the Principles completely.

Second Principle Ignores Data Gathering, Mining and Sharing

There also is a fundamental problem with the second Principle: it doesn’t discuss the gathering, mining, and sharing of user data. Currently, it states:

2. Ownership and Control of Information

People should own their information. They should have the freedom to share it with anyone they want and take it with them anywhere they want, including removing it from the Facebook Service. People should have the freedom to decide with whom they will share their information, and to set privacy controls to protect those choices. Those controls, however, are not capable of limiting how those who have received information may use it, particularly outside the Facebook Service.

We urge Facebook to use this wording:

2. Ownership and Control of Information

People own their information. They have the freedom to share it with anyone they want and take it with them anywhere they want, including removing it from the Facebook Service. People have the freedom to decide with whom they will share their information, and to set privacy controls to protect those choices. As part of user control of their data, every Facebook user has the right to know and fully control if and how data is collected from them, especially if the data is to be used in advertising. Facebook will be transparent in how it collects and analyzes data for advertising, including profiling and targeting of users. Facebook also will detail to users what particular data collecting and mining will be done for advertising purposes. Facebook will ensure that every company that works with it, via third-party applications or otherwise, also details to users if their data is collected or mined, how this data will be collected or mined and for what the data that is collected or mined will be used. Those controls, however, are not capable of limiting how those who have received information may use it, particularly outside the Facebook Service.

Using this phrasing would show the commitment Facebook has to greater transparency about data collection and greater user control over whether and how her data is collected, mined, used or shared.

Users need to know how third-party developers use the data accessed or collected, including how the data is used for advertising and marketing. For example, if games and widgets and other third-party applications base their business model on capturing user data for lead generation, the users must be clearly told the details of this data capture and lead generation, and users must give their explicit approval first.^[2] Users have the right to control third-party use, access to, collection or sharing of user data, and Facebook needs to make this clear in its Principles.

With Statement 2.3, Facebook Creates Huge Loophole That Threatens User Privacy

Turning to the Statement of Rights and Responsibilities, there are several questions here, as well. The first concerns “2. Sharing Your Content and Information,” which reads:

You own all of the content and information you post on Facebook, including information about you and the actions you take (“content”). In order for us to share your content and provide you with our services, you agree to the following: […]

2.3 For content that is covered by intellectual property rights (like photos and videos), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use, copy, publicly perform or display, distribute, modify, translate, and create derivative works of (“use”) any content you post on or in connection with Facebook. This license ends when you delete your content or your account.

This section creates a huge loophole that threatens user privacy. Saying that Facebook has “a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use, copy, publicly perform or display, distribute, modify, translate, and create derivative works of (“use”) any content you post on or in connection with Facebook” to items such as individual users’ photos or videos is just plain creepy.

No user believes that Facebook has the right or license to use photos of their children, videos of family or friends, or other such personal data. Users retain the rights to their data; Facebook may ask only for some limited use of the data.

How will Facebook exercise the limited use that it is claiming? Is Facebook retaining these limited uses so that it may someday impose “Beacon” or some other advertising system upon users who have not opted-in to the advertising system?

If you recall, Facebook’s quiet introduction of Beacon in 2007 led to anger from its users, advertisers, and advocacy groups and an apology from Facebook CEO Mark Zuckerberg.^[3] Users were appalled that Facebook and its advertising partners chose to broadcast their off-Facebook activities (such as online retail purchases) to their friends without the users’ consent. In one case, Facebook broadcast a man’s engagement ring purchase (including the price) though he hadn’t consented to the publication and hadn’t yet proposed. The backlash led to users deleting their Facebook accounts and advertisers pulling out of Beacon, trying to distance themselves from the fiasco.^[4]

Facebook should change 2.3 by striking “any content you post on or in connection with Facebook.” Facebook should instead list exactly what content the company will ask users to allow limited use of and what the company will do with these limited uses of user data. Individuals need to know what limited use of their data they are allowing if they choose to use Facebook.

Statement Has Strong Limitations on Advertiser Access to Some Data, But Still Needs Full Transparency About Advertising From Facebook and Third Parties

We support that Facebook’s Statement includes sections “9. Special Provisions Applicable to Developers/Operators of Applications and Websites” and “10. About Advertisements on Facebook.” We approve of the limitations you have set on advertisers’ gathering, use, and sharing of users’ data. We especially support “9.2.2 You will make it clear to users how you are going to use, display, or share their data” and “9.2.4 You will delete all data you received from us relating to any user who removes or disconnects from your application unless the user gives you permission to keep it.”

However, there needs to be full transparency concerning advertising from Facebook and third parties. Section 10.3 stating, “You understand that we may not always identify paid services and communications as such” should be stricken and replaced with “We will always identify paid services and communications from Facebook and any third parties as such.” If Facebook does not identify these paid services and communications, then users will not have the knowledge necessary to make decisions about these services and communications, including whether to allow access to the user’s individual data.

As we explained above, Facebook users need to know how third-party developers use the limited user data they are allowed to access or collect, including how the data is used for advertising and marketing. Users have the right to control third-party use, access to, collection or sharing of user data, and Facebook needs to make this clear to third-party developers as well as Facebook users.

Conclusion

We appreciate that Facebook has begun this dialogue with users and hope that it will continue to take user comments into account. We urge Facebook to make the changes we have described above. Facebook users must have full knowledge of and control over any and all user data collected by Facebook or by any third party using Facebook’s platform. Facebook must change its Principles and Statement to give users this knowledge and control. Facebook’s role is as a commercial service, but Facebook must remember that it has a public square function. Therefore, Facebook needs to embrace new rules, openness, and user control in order to reflect a socially responsible business in the digital era.

Submitted by:

Jeff Chester
Executive Director
Center for Digital Democracy
1718 Connecticut Ave NW, Suite 200
Washington, DC 20009

(202) 494-7100

Date: March 24, 2009

---

1 Facebook, Press Release, Facebook Opens Governance of Service and Policy Process to Users, Feb. 26, 2009, available at http://www.facebook.com/press/releases.php?p=85587; Proposed Facebook Principles, http://www.facebook.com/topic.php?uid=54964476066&topic=7960; Proposed Statement of Rights and Responsibilities, http://www.facebook.com/topic.php?uid=67758697570&topic=7569.

2 For more information on how third parties use Facebook to acquire data from users without the users' understanding, see Adam Mayle, Center for Digital Democracy, The Facebook Economy: Deficits in Data Privacy (April 2008), available at http://democraticmedia.org/current_projects/privacy/analysis/facebook_economy and Canadian Internet Policy and Public Interest Clinic, PIPEDA Complaint: Facebook, May 30, 2008, available at http://www.cippic.ca/uploads/CIPPICFacebookComplaint_29May08.pdf.

3 Blog post by Facebook CEO Mark Zuckerbeg, Thoughts on Beacon, Dec. 5, 2007, http://blog.facebook.com/blog.php?post=7584397130. Advertisers connected with Beacon included: AllPosters.com, Blockbuster, Bluefly.com, CBS Interactive (CBSSports.com & Dotspotter), eBay, ExpoTV, Fandango, Gamefly, Hotwire, Joost, Kiva, Kongregate, LiveJournal, Live Nation, Mercantila, National Basketball Association, NYTimes.com, Overstock.com, (RED), Redlight, SeamlessWeb, Sony Online Entertainment LLC, Sony Pictures, STA Travel, The Knot, Travelocity, TripAdvisor, Travel Ticker, TypePad, viagogo, Vox, Yelp, WeddingChannel.com, and Zappos.com. Facebook, Press Release, Leading Websites Offer Facebook Beacon for Social Distribution, Nov. 6, 2007, available at http://www.facebook.com/press/releases.php?p=9166.

4 "Overstock.com pulled out of Beacon a couple weeks ago, according to spokesman Judd Bagley." Betsy Schiffman, Advertisers Snub Facebook, Wired News, Dec. 3, 2007, available at http://blog.wired.com/business/2007/12/advertisers-snu.html; "Jonathan E. Johnson, Overstock.com senior vice president of corporate affairs, said in an interview with CNET News.com that the company is not yet ready to consider rescinding its decision to ditch Beacon. 'We've turned it off. We'll keep it off until it's crystal clear to the user that it's a double opt-in procedure,' he said, emphasizing that he wants users to have to actively decide on both Facebook and Overstock that they want to participate—not that they want to not participate." Caroline McCarthy, Facebook's Zuckerberg: 'We simply did a bad job' handling Beacon, CNet News, Dec. 6, 2007, available at http://news.cnet.com/8301-13577_3-9829526-36.html.

Attachment	Size
facebookCDD1March09.pdf	133.75 KB