I was interviewed for this PC World piece on the potential impact of Facebook's recently announced IPO on data privacy. My take: being a public company brings with it more transparency and more regulation, which will force Facebook to be more cautious and ultimately more open about its privacy policies. This seems obvious to me, but there are those who suggest that being public will add a profit motive that will push Facebook in the other direction.
In a settlement announced today by the Federal Trade Commission and Facebook, the social networking service agreed to settle "charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public," according to the FTC's press release.
In its complaint, the FTC alleged, among other things, that Facebook “users could not restrict access to their profile information to specific groups, such as “Only Friends” or “Friends of Friends” through their Profile Privacy Settings,” despite Facebook's representations that users could impose such restrictions on their accounts.
In the extensive consent order Facebook entered with the FTC, Facebook agreed (among other things) to “obtain initial and biennial assessments and reports . . . from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession,” which assessments and reports will:
This consent order will last for an astoundingly long time: 20 years. (Query whether this agreement's terms and length will become the standard for future FTC privacy settlements.)
Facebook founder Mark Zuckerberg also released a blog post on the settlement, and in it he announced a split in the company's privacy officer role: Erin Egan will become Facebook's Chief Privacy Officer, Policy, and Michael Richter, currently Facebook's Chief Privacy Counsel, will become Facebook's Chief Privacy Officer, Products.
Please join Foley Hoag’s Labor and Employment attorneys on November 15 from 8:30 a.m. to 10:00 a.m. for a discussion of new challenges that employers face with social media. Topics to be reviewed include:
Click here for registration information.
Interesting article in the recent Economist on the battles within the cyber underground. Take a look at some of the bigger players in this space: Anonymous, and its threat to "kill Facebook" and LulzSec. They present a pretty scary image of our near future.
The case of Dr. Alexandra Thran should cure any physician of the desire to discuss a patient on Facebook. Dr. Thran has been reprimanded by her state's Medical Board and lost her emergency room privileges. Although the posting in question did not list the patient’s name, Dr. Thran provided enough details so that at least one other person could identify the patient. The result was irreparable damage to her career.
In an article in the most recent Annals of Internal Medicine discussing this case, the author referred to Facebook as the “new elevator.” Those familiar with hospitals will recall the ever present signs reminding health care providers to take care about what they say on elevators. Whether you are in health care or in another industry, it is important to remind employees that what they say online is not private and that even when they do not name people by name, dots can be connected and that repercussions of doing so can be significant.
The following post was drafted by my colleagues Rob Fisher and Brian Bialas; although their focus is on the employment law aspects of this issue, the implications for corporate security/privacy policies are significant. In particular, they note that such policies must not prohibit employees from criticizing their employer. Time to check your existing policies on this point.
* * *
The rise of social media websites has created a host of challenges for employers. An employee’s post about his or her job can lead to claims of defamation or harassment by co-workers or may reveal confidential information. For these and other reasons, employers are taking steps to regulate what employees can and cannot do on the Internet. The recent issuance of a complaint by the General Counsel of the National Labor Relations Board (“NLRB”) against an ambulance company, however, is a reminder that efforts by employers to police employees’ posts on social media websites may run afoul of the National Labor Relations Act, the federal labor law. Although federal labor law never before has been applied to social media sites, the General Counsel alleged in the complaint that the company’s blogging and Internet policy was illegal and that the company unlawfully fired an employee for posting critical comments about a supervisor on her personal Facebook site.
According to the complaint, the company maintained a blogging and Internet policy that prohibited employees from posting pictures of themselves which depict the company, its logo or its ambulances and from “making disparaging, discriminatory or defamatory comments when discussing the Company or the employee’s superiors, co-workers and/or competitors.” Because the NLRB has long held that employees have the right under federal labor law to criticize their employer, the General Counsel alleged that this policy was unlawful.
Further, the General Counsel alleged that the company unlawfully fired an employee, Dawnmarie Souza, for engaging in conduct protected by federal labor law. According to the complaint and a press release issued by the NLRB, Souza criticized her manager on her personal Facebook site, which prompted supportive comments from her co-workers. She then posted additional negative comments about the supervisor. The company suspended and then fired her for violating its blogging and Internet policy. The General Counsel alleged that Souza’s posts constituted protected, concerted activity under the National Labor Relations Act and that her termination was unlawful.
A hearing on the case is scheduled for January 2011, and ultimately the NLRB will decide whether the employer in fact violated federal labor law. If the NLRB finds against the company, the employer may be ordered to reinstate Souza with back pay.
The potential application of traditional labor law principles to posts on social media websites is a concern for both unionized and non-unionized employers. While Souza was represented by a labor union, this fact was irrelevant to the General Counsel’s allegations because both represented and unrepresented employees have rights under federal labor law. This means that all employers must be cautious when drafting policies which restrict employees’ conduct on the Internet. Even in the absence of a policy, employers must think twice before taking disciplinary action against an employee for an Internet post which is critical of the company or its managers.
This week was an unusually optimistic one for hundreds of thousands of Facebook users who found that their accounts were automatically endorsing numerous oddly entitled websites. If you have been avoiding Facebook, your closest Facebook user (anyone under the age of 30 is a safe guess) can explain that one way users have to share things with their friends, including websites, musicians, television shows, ideas and other users, is to click the ever-present "Like" button. Some have begun to call this new exploit "likejacking."
The culprit for this unintentional optimism appears to be a "clickjacking" worm that exploited a vulnerability in web browsers used to access the victim's Facebook account. While the victim is logged in to Facebook, his or her account will spontaneously "Like" web links with titles such as "LOL This girl gets OWNED after POLICE OFFICER reads her STATUS MESSAGE." As a result, a user's Facebook friends are encouraged to visit the sites. Clicking the link will take users to a website that states "Click here to continue" and clicking the message apparently causes subsequent users' accounts to begin the same automatic referrals to their friends.
If you have begun to notice that you are "Like"-ing websites more than usual, Sophos makes the following recommendation to users who have been infected:
If you believe you may have been hit by this attack, view the recent activity on your news feed and delete entries related to the above links. Furthermore, you should view your profile, click on your Info tab and remove any of the pages from your "Likes and interests" section.
Yesterday, Facebook took down their Chat services to patch a flaw in Facebook's new privacy settings that allowed users to listen in on private chat conversations. This apparently came hours after TechCrunch EU blogger Steve O'Hear taught the world how to exploit the flaw in his TechCrunch post and video. O'Hear was "tipped off that there is a major security flaw in the social networking site that, with just a few mouse clicks, enables any user to view the live chats of their 'friends'."
Facebook rolled out its Facebook Chat feature in February of this year. The service allowed users to send live text messages to other Facebook users on their "Friends" list. The flaw apparently allowed users to listen in on these conversations, as well as see other private information about friends' Facebook accounts.
Once Facebook was informed of the exploit, Chat services quickly became unavailable. A few hours later, Facebook provided the following statement:
For a limited period of time, a bug permitted some users’ chat messages and pending friend requests to be made visible to their friends by manipulating the “preview my profile” feature of Facebook privacy settings. When we received reports of the problem, our engineers promptly diagnosed it and temporarily disabled the chat function. We also pushed out a fix to take care of the visible friend requests which is now complete. Chat will be turned back on across the site shortly. We worked quickly to resolve this matter, ensuring that once the bug was reported to us, a solution was quickly found and implemented.
This is an ironic twist in Facebook's recent efforts to combat criticism of the service by adding more advanced privacy features; however, the problem appears to have been resolved.
This week the Incident of the Week title decisively goes to the Israeli soldier who updated his status on Facebook to identify the secret military raid on a town in the West Bank. His status apparently read: "On Wednesday we clean up Qatanah, and on Thursday, god willing, we come home" and provided the exact time of the raid. After detecting the clear breach of OPSEC, the Israeli Defense Force (IDF) canceled the raid and jailed the soldier for 10 days.
The IDF has apparently begun distributing posters depicting a fake Facebook page with friend requests from Iranian and Syrian presidents as well as a Hezbollah chief with the question: "You think everyone is your friend?"
Last month, Facebook announced plans to simplify its users' ability to control privacy settings. Facebook will standardize privacy settings, remove overlapping settings, and put all settings on the same page. In an effort to give users more control over how their information is shared, Facebook will allow users to decide, on a post-by-post basis, with whom to share their content. Users will have the option of sharing their posts with: 1) only specific friends, 2) all friends, 3) friends and people in the user’s network, 4) friends of friends, or 5) everyone. According to media reports, the "everyone" option will soon expand to include anyone on the internet – a move widely seen as an attempt to compete with Twitter. Facebook will launch a Transition Tool that will prompt users to set their level of sharing, and will carry over previous privacy settings.
The announcement carefully explained that the changes would not affect the information Facebook provides to its advertisers – a topic related to the controversy earlier this year surrounding proposed revisions to the Facebook terms of service. Instead, Facebook will continue to provide advertisers with only that information that users have authorized.
With the changes, Facebook will provide users with more options for controlling access to their content. As one might predict given the current climate favoring increased user control over privacy, Facebook's proposed changes have largely been well received. Only time will tell whether most users will exercise this control to share their data or whether they will favor keeping their information private.
Links:
When, in June, the City of Bozeman, Montana sought to change its job application to require municipal job seekers to disclose usernames and passwords for popular social networking sites, it immediately drew widespread criticism. Specifically, Bozeman asked applicants to "Please list any and all, current personal or business websites, web pages or memberships on any Internet-based chat rooms, social clubs or forums, to include, but not limited to: Facebook, Google, Yahoo, YouTube.com, MySpace, etc." In the aftermath of media exposure, Bozeman has decided to "suspend its practice of reviewing candidate’s password protected internet information until the City conducts a more comprehensive evaluation of the practice."
On June 19, 2009, city manager Chris Kukulski officially apologized (.pdf) for the intrusive application, stating “[t]he extent of our request for a candidate’s password, user name, or other internet information appears to have exceeded that which is acceptable to our community.”
This controversy is another indication that social networking sites and other digital media are coming under greater scrutiny as employers conduct background checks. For example, the application for high-level political positions in the Obama transition phase required applicants to include copies of e-mails that might embarrass the President, copies of all blog posts, a link to one’s Facebook page, and a list of “all aliases or ‘handles’ . . . used to communicate on the Internet.”
The Bozeman application would have required applicants to violate Facebook’s Terms of Use, which state that “You will not share your password, let anyone else access your account, or do anything else that might jeopardize the security of your account.” In addition, Bozeman’s request apparently was limited to obtaining usernames and passwords and did not seek authorization to access applicants’ sites. Consequently, any access by city officials might have run afoul of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(2)(C), which prohibits intentionally accessing a “protected computer” without authorization.
Links:
On April 15, 2009, a federal district court issued a decision that keeps alive a woman's suit "against Blockbuster and the way it offers information to the social networking site Facebook." This was reported in the Dallas Business Journal. In the ruling (.pdf), the court denied Blockbuster's motion to compel arbitration by holding that an arbitration clause in the "Terms and Conditions" of Blockbuster Online was unenforceable.
The case is being brought as a class action under the Video Privacy Protection Act, 18 U.S.C. s. 2710, which was enacted after a newspaper published a list of 146 video tapes rented by the family of Supreme Court judge nominee Robert Bork. According to the court's opinion, Blockbuster entered into an agreement with Facebook which caused the movie rental choices of Blockbuster Online's customers to be sent to Facebook, which would then broadcast those choices to the customer's Facebook friends. Plaintiffs claimed this violates that Video Privacy Protection Act, which prohibits a videotape service provider from knowingly disclosing personally identifiable information concerning any customer of the provider unless the customer gives informed, written consent at the time the disclosure was sought (the Act provides for certain other exceptions not applicable to the case). The Act provides for liquidated damages of $2,500.00 for each violation.
According to the Plaintiffs' complaint, when a Blockbuster Online customer rented a movie or placed a movie into their queue, a notification would pop up in the bottom right hand corner of the screen informing the customer that the information would be sent to the user's Facebook friends. The customers were allegedly given an opportunity to prevent friends from seeing the information by marking an "x no thanks box," but if they did not respond quickly enough, the pop up went away and a "yes" was sent to Facebook. The customer's selection was then placed in the customer's news feed on their Facebook profile and in their friends' news feeds, along with a picture of the individual and a Blockbuster ad. The complaint also alleges that the summary is sent to a user's Facebook profile even before the user has a chance to decline the distribution of his/her personal information (unless the user has marked a privacy feature telling Blockbuster never to send summaries).
Blockbuster has appealed the court's decision to the U.S. Court of Appeals for the Fifth Circuit. The issue of whether the case is subject to arbitration is a narrow one that has little, if anything, to do with the actual merits. What will be more interesting is to see how the case plays out if the Fifth Circuit affirms and the case moves forward in the district court.
Links
* By Gabriel M. Helmer and Aaron Wright
When Facebook changed its official terms of service earlier this month, what ensued was an explosive public outcry over who owns what users post to social networking sites. Tens of thousands of Facebook's 175+ million users suddenly clicked that often-overlooked link at the bottom of the webpage and poured over the arcane and legalistic language comprising Facebook's terms of service. For many, this was no doubt the first time they had ever read the policy. Below, we recap the recent controversy and discuss the three lessons Facebook and the rest of us should have learned from this series of events.
Recap: Facebook Revises Terms of Service, Ignites Massive Public Firestorm
On February 4, 2009 Facebook announced on its official blog that it had updated its terms of service and provided its customers with a link to those new terms of service. The revisions went little remarked upon until February 15th when The Consumerist, Consumer Reports' official blog, posted a story entitled “Facebook's New Terms Of Service: ‘We Can Do Anything We Want With Your Content. Forever.’” The post focused on a revised clause that provided Facebook with irrevocable rights to use its users’ likenesses and content:
You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof.
This most severe change from the original terms was that the revised clause excised a sentence that terminated Facebook's license to user content:
You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content.
After the Consumerist broke the news, the post received over 300,000 hits in a single day (according to the New York Times) and after the post ignited a firestorm of criticism, blog posts and articles, one Facebook user created the user group “People Against the New Terms of Service (TOS)”. Two days later, the Consumerist reported that more than 750 articles had been written on the subject and the People Against the New Terms of Service group had 64,000 members. As of this posting, the group is over 141,000 members and growing. This may make Facebook's recent revision the most controversial event that has ever occurred in the history of website usage policies.
Facebook responded to the criticism within days. First, on February 16, 2009, Facebook attempted to explain that they did not believe the new terms of service did what critics said they did. Then, Facebook withdrew the revised terms of service two days later, on February 18, 2009, and created a user group to open up discussion on a Facebook Bill of Rights and Responsibilities. Facebook appears to be attempting to harness this controversy to power continued user debate and involvement in the site.
Below we discuss three key lessons to learn from the controversy over Facebook’s terms of service.
Lesson 1: My Information Is Mine, No Matter What I Do With It.
What will make millions of Facebook users suddenly stop ignoring the link that has always been at the bottom of their Facebook profile and actually read the terms of service? The answer is: a rumor that their vacation photos, wall-to-wall conversations with friends and movie compatibility test results are no longer theirs to control. Much of the criticism comes from a simple objection to Facebook asserting ownership of its users’ creative works and personal photographs, no matter how widely they are distributed. Like it or not, the clear concern voiced by tens, if not hundreds of thousands of Facebook users is that their photos and content belongs to them, not Facebook. Anyone that permits users to create or post their own on-line content should be paying careful attention here. Social networking permits users to generate public content, but there is an emerging view, if not a consensus, that a user is entitled to a certain degree of control over the content that she or he generates.
Lesson 2: No One Likes Legal Terminology, Especially the Terms Apply To Me
Perhaps the greatest irony of the Facebook controversy is that it demonstrates that few users have ever read the terms of service before. There has been loud criticism of Facebook for asserting an "irrevocable, perpetual . . . worldwide license" of user content (see user comments here), even though this language was taken word for word from the original terms of service. As lawyers, some of us have become used to this kind of legal boilerplate, but when the news of Facebook's revision hit, users turned in record numbers to the terms of service and discovered, for the first time, an uncomfortable twinge at the thought that anyone, let alone Facebook, had something "perpetual" or "irrevocable" to do with the pictures from their last family reunion or Friday night's cocktail party. Even lawyers have become concerned, judging from the number of lawyers from a wide variety of practices that we recognize among the members of the People Against the New Terms of Service user group.
It may be necessary for Facebook to obtain certain legal rights to user content because it has to store, manage and archive this information. But, the Facebook firestorm teaches us that policymakers and lawyers may sometimes need to spare the overbroad legal boilerplate and reassess what rights are really necessary to operate.
Lesson 3: Let’s Discuss, Not Dictate
Finally, the introduction of the new terms of service was seen by some as having been done in an inappropriate manner. Some claimed that Facebook did not inform users of the change to the terms (see here), while others argued that the notification provided to users of the new terms of service was too subtle. In response to this criticism, Facebook has been quick to open lines of communication. It created a user group to discuss changes they believe they must make to the terms of service and allowing users to comment on proposed policy before it is implemented. While there has been talk that the solution is greater transparency so that users know what policies you are considering, it seems the greater lesson to be learned here is to know your users.
Links:
Enter keywords:
Add this blog to your feeds or put your e-mail in the box below and hit GO to subscribe by e-mail.
The Foley Hoag Security, Privacy and the Law Blog focuses on the security and privacy issues encountered by businesses thatMore...