When Facebook changed its official terms of service earlier this month, what ensued was an explosive public outcry over who owns what users post to social networking sites. Tens of thousands of Facebook's 175+ million users suddenly clicked that often-overlooked link at the bottom of the webpage and poured over the arcane and legalistic language comprising Facebook's terms of service. For many, this was no doubt the first time they had ever read the policy. Below, we recap the recent controversy and discuss the three lessons Facebook and the rest of us should have learned from this series of events. 

Recap: Facebook Revises Terms of Service, Ignites Massive Public Firestorm

On February 4, 2009 Facebook announced on its official blog that it had updated its terms of service and provided its customers with a link to those new terms of service. The revisions went little remarked upon until February 15th when The Consumerist, Consumer Reports' official blog, posted a story entitled “Facebook's New Terms Of Service: ‘We Can Do Anything We Want With Your Content. Forever.’” The post focused on a revised clause that provided Facebook with irrevocable rights to use its users’ likenesses and content:

You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof.

This most severe change from the original terms was that the revised clause excised a sentence that terminated Facebook's license to user content:

You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content.

After the Consumerist broke the news, the post received over 300,000 hits in a single day (according to the New York Times) and after the post ignited a firestorm of criticism, blog posts and articles, one Facebook user created the user group “People Against the New Terms of Service (TOS)”.  Two days later, the Consumerist reported that more than 750 articles had been written on the subject and the People Against the New Terms of Service group had 64,000 members.  As of this posting, the group is over 141,000 members and growing.  This may make Facebook's recent revision the most controversial event that has ever occurred in the history of website usage policies. 

Facebook responded to the criticism within days.  First, on February 16, 2009, Facebook attempted to explain that they did not believe the new terms of service did what critics said they did.  Then, Facebook withdrew the revised terms of service two days later, on February 18, 2009, and created a user group to open up discussion on a Facebook Bill of Rights and Responsibilities. Facebook appears to be attempting to harness this controversy to power continued user debate and involvement in the site. 

Below we discuss three key lessons to learn from the controversy over Facebook’s terms of service.

What will make millions of Facebook users suddenly stop ignoring the link that has always been at the bottom of their Facebook profile and actually read the terms of service? The answer is: a rumor that their vacation photos, wall-to-wall conversations with friends and movie compatibility test results are no longer theirs to control.  Much of the criticism comes from a simple objection to Facebook asserting ownership of its users’ creative works and personal photographs, no matter how widely they are distributed. Like it or not, the clear concern voiced by tens, if not hundreds of thousands of Facebook users is that their photos and content belongs to them, not Facebook.  Anyone that permits users to create or post their own on-line content should be paying careful attention here. Social networking permits users to generate public content, but there is an emerging view, if not a consensus, that a user is entitled to a certain degree of control over the content that she or he generates. 

Lesson 2:  No One Likes Legal Terminology, Especially the Terms Apply To Me

Perhaps the greatest irony of the Facebook controversy is that it demonstrates that few users have ever read the terms of service before. There has been loud criticism of Facebook for asserting an "irrevocable, perpetual . . . worldwide license" of user content (see user comments here), even though this language was taken word for word from the original terms of service. As lawyers, some of us have become used to this kind of legal boilerplate, but when the news of Facebook's revision hit, users turned in record numbers to the terms of service and discovered, for the first time, an uncomfortable twinge at the thought that anyone, let alone Facebook, had something "perpetual" or "irrevocable" to do with the pictures from their last family reunion or Friday night's cocktail party. Even lawyers have become concerned, judging from the number of lawyers from a wide variety of practices that we recognize among the members of the People Against the New Terms of Service user group. 

It may be necessary for Facebook to obtain certain legal rights to user content because it has to store, manage and archive this information.  But, the Facebook firestorm teaches us that policymakers and lawyers may sometimes need to spare the overbroad legal boilerplate and reassess what rights are really necessary to operate.

Lesson 3:  Let’s Discuss, Not Dictate

Finally, the introduction of the new terms of service was seen by some as having been done in an inappropriate manner. Some claimed that Facebook did not inform users of the change to the terms (see here), while others argued that the notification provided to users of the new terms of service was too subtle. In response to this criticism, Facebook has been quick to open lines of communication. It created a user group to discuss changes they believe they must make to the terms of service and allowing users to comment on proposed policy before it is implemented. While there has been talk that the solution is greater transparency so that users know what policies you are considering, it seems the greater lesson to be learned here is to know your users. 

Links:

• Amanda L. French, Ph.D. blog “Facebook terms of service compared with MySpace, Flickr, Picasa, YouTube, LinkedIn, and Twitter”: http://amandafrench.net/2009/02/16/facebook-terms-of-service-compared/
• Consumer Reports: http://www.consumerreports.org/cro/index.htm
• The Consumerist: http://consumerist.com/
• Consumerist article " http://consumerist.com/5150175/facebooks-new-terms-of-service-we-can-do-anything-we-want-with-your-content-forever
• Consumerist “Facebook Clarifies Terms of Service: ‘We Do Not Own Your Stuff Forever’”:http://consumerist.com/5154745/facebook-clarifies-terms-of-service-we-do-not-own-your-stuff-forever
• Edward Champion, “I’m Done With Facebook”: http://www.edrants.com/im-done-with-facebook/
• Facebook: http://www.facebook.com/
• Facebook announces new terms of service: http://blog.facebook.com/blog.php?post=50531412130
• Facebook explains new terms of service: http://blog.facebook.com/blog.php?post=54434097130
• Facebook to allow comments on new policy: http://blog.facebook.com/blog.php?post=56566967130
• Facebook withdraws new terms of service and announces group to discuss changes in policy: http://blog.facebook.com/blog.php?post=54746167130
• Filmmaker blog “Facebook Terms of Service Change Causes Uproar”:http://www.filmmakermagazine.com/blog/2009/02/facebook-terms-of-service-change-causes.php
• Fox New, “Facebook CEO to Scared Users: Trust Us”:http://www.foxnews.com/story/0,2933,494804,00.html
• Jim. M. Goldstein, “Facebook Terms of Use: From Bad to Worse”: http://www.jmg-galleries.com/blog/2009/02/17/facebooks-terms-of-use-from-bad-to-beyond-worse/
• New York Times “Facebook’s Users Ask Who Owns Information” (registration required):http://www.nytimes.com/2009/02/17/technology/internet/17facebook.html
• People Against the New Terms of Service (TOS): http://www.facebook.com/group.php?gid=77069107432

Anyone required to comply with the FTC’s Disposal Rule [the text of the rule can be found here], which requires companies to take reasonable steps to dispose of information contained in consumer credit reports, should take note of a recent FTC enforcement action in federal court from the District of Nevada. On December 30, 2008, the FTC filed a complaint against Las Vegas businessman Gregory Navone alleging that he violated the Disposal Rule and the Fair Credit Reporting Act (FCRA) when he discarded forty boxes of documents into a public dumpster behind an office building in Las Vegas. The boxes contained tax returns, mortgage applications, bank statements, photocopies of credit cards and drivers’ licenses, and other sensitive customer information collected by Navone’s businesses. The FTC seeks monetary damages and an injunction against further violations under the Disposal Rule and the FRCA for Navone’s alleged failure to take reasonable measures to protect customer information.  Interestingly, the complaint also asserts claims under the FTC Act on the basis that Navone failed to abide by his own customer privacy policy, which stated:

We take our responsibility to protect the privacy and confidentiality of customer information very seriously. We maintain physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction. . . . From time to time, we enter into agreements with other companies to provide services to us or make products and services available to you. Under these agreements, the company may receive information about you but they must safeguard this information and they may not use it for any other purposes

While the case remains pending, it serves as a reminder from the FTC on the importance of not only taking reasonable steps to protect sensitive customer information, but also living up to customer assurances regarding information security.

Links:

• The text of the FTC's Disposal Rule, 16 C.F.R. Part 682 can be found here (.pdf) or from the FTC's website here (.pdf)
• The complaint filed in FTC v. Navone is available here (.pdf) or from the FTC's website here (.pdf)

As an ever-increasing number of states enact legislation governing identity theft, customer data and personal information, pressure for clear federal legislation governing information security has mounted. For example, in December 2008, the FTC joined the growing number of voices calling on Congress to enact a legislation to create a single federal standard for the handling of personal information. (See our report here.) As we see movement towards a unifying federal standard, we are also observing a growing insistence that such legislation be consistent with the customer data security requirements of the Gramm-Leach Bliley Financial Modernization Act of 1999 (GLBA) and its implementing regulations. As a result, even industries that are not required to comply with GLBA may wish to become familiar with its requirements.

Section 501(b) of GLBA requires agencies with oversight over financial institutions to establish standards relating to administrative, technical and physical safeguards for three purposes: 1) to insure the security and confidentiality of customer information, (2) to protect against any anticipated threats to the security of customer information, and (3) to protect against unauthorized access or use of customer information. 

In 2001, the Department of Treasury, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC) issued Interagency Guidelines Establishing Standards for Safeguarding Customer Information. These guidelines require that financial institutions adopt an information security plan, which must be approved by the institution’s Board. The plan must assess, manage and control threats that could result in unauthorized disclosure of information. The risk guidelines are flexible – they do not require that institutions implement specific risk control or assessment systems, but rather encourage them to adopt measures appropriate to their circumstances. Institutions are then required to monitor the plan and report to the Board annually. In addition, they must also ensure that their service providers implement appropriate measures to secure customer information. In 2005, the Department of the Treasury, the Board of Governors of the Federal Reserve System, and the FDIC issued the “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.” This guidance requires that institutions develop a response plan to address unauthorized access to customer information. As part of this process, institutions must notify customers if sensitive customer information has been improperly accessed and misuse of that information has occurred or is likely to occur.

In 2002, the Federal Trade Commission (FTC) issued its “Standards for Safeguarding Customer Information,” commonly referred to as the Safeguards Rule. The rule apples to financial institutions over whom the FTC has oversight and resembles the interagency guidelines for safeguarding customer information. Like those guidelines, the Safeguards Rule affords institutions considerable flexibility in implementing safeguards. Unlike the guidelines, the Safeguards Rule does not require that the information security plan be approved by the institution’s board, and does not contain customer notification requirements such as those set out in the Guidance on Response Programs, although the FTC does encourage entities to consider notifying customers in the event of a breach. In considering these federal regulations, it is worth noting that the FTC’s recently issued Red Flag Rule implements the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"), and not GLBA, although the FTC does anticipate that many institutions may have implemented some of the practices required under the Red Flag Rule as part of their efforts to conform with GLBA.

Of course, it remains to be seen whether broad federal legislation governing customer data security will be enacted and if so, whether GLBA requirements will be used as a blueprint for such legislation. Regardless, an understanding of GLBA requirements and their effectiveness can help inform the debate around such legislation.

Links:

• The FTC's webpage In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act
• The FTC publication How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act (.pdf)

Security & Privacy Guides [ top ]

Foley Hoag publishes eBooks from time to time. This material is written by lawyers from the Firm's Security & Privacy practice for the purpose of providing general guidance on security, privacy and the law.

• Five Key Steps to Developing an Information Security Program (.pdf) in this eBook, Gabriel Helmer introduces you to the key first steps in developing a written information security program to comply with federal and state regulations.  The eBook also includes our guides to the Federal Trade Commission's Red Flags Rule, 16 CFR 681, and Massachusetts' identity theft regulations, 201 CMR 17.00.
  
   
• [IMAGE] Security & Privacy Guide: FTC Red Flags Rule (.pdf) provides a condensed outline of what you need to know about the FTC's Red Flags Rule, 16 CFR 681.  If you are looking to answer questions about whether the Rule applies to you and what a business needs to do to comply, this is a good place to start.
   
• [IMAGE] Security & Privacy Guide: Massachusetts Identity Theft Regulations (.pdf) is a brief introduction to the Massachusetts identity theft regulations that will walk you through the requirements of these regulations and discusses what needs to be included in a "comprehensive, written information security program."
   
• [IMAGE] Security & Privacy Guide: August 2009 Revisions to the Massachusetts Identity Theft Regulations (.pdf) is a redline comparison of the most recent amendments to the Massachusetts identity theft regulations.

Noteworthy Court Filings & Documents [ top ]

Intro...

• Criminal Complaint: USA v. Alberto Gonzales, Civ. A. No. (D.Mass.) contains the criminal charges against the individual alleged to be behind the massive consumer data breach at Heartland Payment Systems as well as the previous breach at TJX, Inc.
   
• Civil Complaint: American Bar Association v. Federal Trade Commission, Civ. A. No. (D.D.C.) in this case, the ABA seeks a ruling that lawyers are not required to comply with the FTC's Red Flags Rule.
   
•  

Laws, Regulations & Rules [ top ]

Intro.

• Document Listing

Key Publications & Reports [ top ]

Intro.

• Document Listing