Clickwrapped
Who respects your rights online?

Like many of the other companies surveyed, Facebook has extensive rights to any content that you post on the social network. Facebook’s license to your content is also transferable and sub-licensable (meaning that Facebook can sell your content to third parties). However, there is an important qualification. The license is subject to your privacy and application settings. This means, for example, that if you make a particular photo album visible only to friends, Facebook would be violating its terms if it transferred or sold it to anyone other than your friends. The other social networks surveyed, LinkedIn and Google+, are not subject to this restriction. It is not true, as many websites claim, that Facebook can do anything they want with your content.

Facebook’s license to your content ends when you delete it, unless it has been shared with others and they have not deleted it. For example, even if you delete a photo (or close your account), that photo could presumably still appear if it has been shared via private messages, timeline posts, etc. Facebook has also been far too lax in actually removing deleted content from their servers. In some cases, users with a direct link to a photo could access it on Facebook several years after it had been deleted. Facebook should allow users to delete all of their content and deletion should be processed expeditiously.

One area of growing concern is Facebook’s ability to track your activity on sites other than facebook.com. A vast number of sites now contain Facebook “like” and “login” buttons, and the code that powers these buttons provides Facebook with information about you (such as your IP address and the sites you’re visiting), even if you don’t click on them. If you’re logged in to Facebook, it can associate this information with your Facebook account. If you’re not logged in — and even if you’re not a Facebook user — it can still collect this information: a recent change to the Statement of Rights and Responsibilities means that Facebook can now gather information not only about users but also about “non-users who interact with Facebook”. We would like Facebook to be clearer about what information it is gathering from these sites and how it intends to use it.

Facebook gets mixed reviews when it comes to responding to government requests for information about users. Unlike many of its peers, it has not committed to inform users when the government requests information about them; a FAQ on its law enforcement page merely says that “Facebook may notify users before responding to legal process as permitted by law”. It also does not have a record of actively fighting excessively broad government demands in court, unlike Google and Twitter. Although Facebook does not publish statistics about government requests, it does have a comprehensive set of policies for law enforcement requests. 

Amendment

Facebook is the only company surveyed that actively involves users in the amendment process:

• Changes to the Statement of Rights and Responsibilities require at least 3 or 7 days notice (depending on the nature of the change).
• If more than 7,000 users comment on the proposed change, the measure must be taken to a vote.
• The vote is binding on Facebook only if more than 30% of all active registered users participate.

It is highly improbable that 30% of users (approx. 300 million) will vote. Unless Facebook pushes prominent updates about the ballot to all users, most will never find out about it. Currently, the only way of reliably being informed of an upcoming vote is to “like” the Facebook Site Governance page. A June 2012 amendment therefore became effective because only 350,000 users voted, even though the vast majority voted against. If Facebook is serious about the idea of involving its community in the amendment process, this provision needs to be changed.

Termination

Most of the companies surveyed can terminate your account at any time and for any reason. Facebook limits its termination right to cases where you “violate the letter or spirit” of the Statement of Rights and Responsibilities or “otherwise create risk or possible legal exposure for us”. This is certainly a step in the right direction. But the words “or spirit” and the second part of the provision should be struck. If Facebook takes its Statement of Rights and Responsibilities seriously, it should be able to close a user’s account only if they have violated its terms. (If you plan to close your Facebook account, you can use the “Download Your Information” tool to make a copy of all of the information you’ve put on Facebook. )

The Statement of Rights and Responsibilities contains a number of provisions that are so broad and unrealistic that millions of users are probably violating them on a daily basis.

• “You will not tag users or send email invitations to non-users without their consent”. No-one writes to their friends to ask, “May I tag you in this photo?”. Similarly, the idea of asking permission before sending someone an email invitation is nonsensical.
• “If you collect information from users, you will... obtain their consent”. Although this is presumably meant to apply to businesses rather than individuals, as drafted it applies to anyone and is unacceptably broad. If I write down a couple of friends’ phone numbers, am I collecting information without their consent?
• “You will keep your contact information accurate and up-to-date”. This is too strict and needs to be qualified. If get a new phone number and haven’t updated my profile, am I in violation?
• “You will not use your personal profile for your own commercial gain”. Although we understand that Facebook wants to prevent users selling their status updates to advertisers, this is also too broad. People often use Facebook updates to keep friends informed about new business endeavors and they could fall afoul of this provision.