Some thoughts on the Facebook terms of service privacy storm:
Facebook and other social networks have an especially tricky time in this zone, since so much user data is relational. You upload a photo of you and me; I tag it with your name. I leave Facebook — does your name disappear from the photo since I was the one who originally tagged it? Should all traces of someone vanish from everyone’s news feed, or is the alert that X posted a photo (along with a thumbnail of the photo) a different contribution than … posting the photo? Facebook possibly thought to avoid these issues — or at least retain maximum flexibility to answer them — by including the sweeping clauses about being able to retain our data forever.
One lesson is that plain English (and its other-language counterparts!) works better these days than legalese. When talented lawyers sit down to draft something like a set of terms of service, they naturally want terms that protect their client as much as possible — both in its current practices and for any future practices it could conceivably undertake. Plus they know that courts will hold this language against them in a dispute if there’s any wiggle room, since the company itself drafted it and the users couldn’t negotiate. So the writers tend to (1) reuse terms from other companies’ agreements like old holiday fruitcakes getting passed around, since venerable terms must be good ones and (2) they write broadly and at length. But now just one hawk-eyed person scrutinizing new terms can see them get broadened and raise an alarm to everyone else, thinking of all sorts of future actions the company just permitted itself to take — the way the lawyers themselves were thinking, too. This is true even if the people running the company didn’t have anything more in mind than avoiding some class action lawsuit for using people’s data in ways that could be said to exceed the limits they’ve placed on themselves with their own terms.
So — Facebook will go back to the drawing board and come up with something new, no doubt rightly more narrowly drawn. In another post Zuckerberg said:
- More than 175 million people use Facebook. If it were a country, it would be the sixth most populated country in the world. Our terms aren’t just a document that protect our rights; it’s the governing document for how the service is used by everyone across the world. Given its importance, we need to make sure the terms reflect the principles and values of the people using the service.
Governing document is right. That brings up two bigger picture issues worth highlighting out of what otherwise might be a garden-variety dispute about privacy terms that people can have with any of the companies to who they entrust their data.
First, if Facebook is analogous to a country, how to govern it? There’s an amazing amount of energy devoted to arguing about who gets to control the top-level allocation of domain names, since they’re seen as a shared resource of the Net that can greatly affect people’s lives. (I think that’s overblown, but that’s a different discussion.) So what about a “community” like that of Facebook, where people invest their data — indeed, often their very identities. When someone’s years’-long cultivated Facebook account is terminated for alleged objectionable behavior, is that a mere customer service issue, or ought it be thought of as something broader? No one expects Facebook to be run by anyone other than its management and private owners (and perhaps someday its public shareholders), adjusting for market pressure from its users, but if the communities there are truly to flourish, perhaps it’s time to experiment with forms of self-governance. Just as online multiplayer games allow worlds of users with different rules, and some incorporate users themselves into developing those rules, Facebook could experiment with some of the same things. (So far online organizing on Facebook tends to be represented by the creation of groups with provocative titles and then a count of how quickly how many people sign up, an especially interesting metric since Facebook itself can tweak how often word of people joining a group appears in their friends’ newsfeeds.) There may be a sweet spot somewhere between the status quo — where at least we know whom to blame or sue if we disagree with a Facebook policy — and, say, Wikipedia, where governance generally takes place in ways large and small among the thousands of people who edit its articles and work through the disputes that naturally arise there.
Second, it’s amazing how much people focus on Facebook’s use of data vs. uses by fellow users on Facebook. I think “peer-to-peer” privacy violations will turn out to be the most interesting and pervasive, and that we ought to start working out how to handle these issues. Even small tweaks in how a site like Facebook operates — such as who gets to tag and untag a photo and who is notified (or asked for permission) when tagging happens — can have a huge impact on the flow of data and identity. (Facebook’s structure is highly innovative here — they’ve actually got pretty good instincts about people’s privacy preferences.) This is especially true as more and more of our “mouse droppings” end up in social networks — automatically updated telemetry about our daily travels (think Google Latitude) or changes in who we’re friends with. I’ve written a lot more about this in chapter nine of “The Future of the Internet — And How to Stop It,” available for free download, (But you’re welcome to buy it, too, newly in paperback!)
Privacy “perfect storms” are good times to think about these matters — too often people are too busy shoveling out their data to really think through the implications of what they’re doing. Now, with the pitchforks on this particular issue being mostly returned to holsters, we can debate. …JZ