

Facebook Tries to Make Violations of Terms of Use Into Criminal Violations - there
http://www.eff.org/press/archives/2010/05/03

======
mdasen
Considering that Facebook has asked for my email username and password in
order to scrape the contacts from my email, this seems hypocritical. So, it's
ok for Facebook to scrape data from other sites since that's data going into
Facebook (per the user's wishes), but it isn't ok for other sites to scrape
Facebook data (per the user's wishes).

~~~
what
I thought everything Zuckerberg ever built was based on scraping other
peoples' data. Even now, didn't they pull info from Wikipedia for their pages
about your interests?

~~~
sp332
That's not against Wikipedia's ToS.

~~~
what
Ok, I've never read their terms of service, until now. I'm guessing they have
provided credit to the actual authors with a link to the original article and
included a licensing notice? (not on Facebook)

~~~
neilk
Wikipedia's Terms of Use basically just guide you to act in a manner
compatible with the Creative Commons Attribution / Share-Alike license, as
well as the earlier GFDL license. (I am not a lawyer, probably there are
significant additions, that's just my take on it).

<http://wikimediafoundation.org/wiki/Terms_of_Use>

Facebook could have scraped Wikipedia without asking, but as it happens, there
is an agreement in place. I happen to work at the WMF, but don't ask me for
more details, I'm not that privy to them.

This thread might help.

<http://www.gossamer-threads.com/lists/wiki/foundation/194087>

~~~
what
Interesting. The thread certainly makes it seem like it will be mutually
beneficial. Maybe Facebook is a little less evil than I think, considering
they gave a heads up.

------
jlangenauer
So, when Facebook asked for our email account credentials so that it could
scrape our address books, that would also count as "criminal trespass"?

Breathtaking hypocrisy.

~~~
ErrantX
Well it depends if googlemail et al disallow automating access in their terms
(I don't believe they do).

Clearly very douchey thought.

~~~
detst
<http://code.google.com/apis/contacts/>

I have no idea if they use this for gmail or similar methods for other
services.

~~~
papachito
They were not, this is relatively new.

~~~
bruceboughton
Not that new.

------
sraybell
Time to start donating to the EFF. They seem to be the only ones looking out
for our rights online... They've surprisingly been on the ball, consistently,
when these organizations (especially Facebook), do potentially dangerous
things with regards to the separation of civil and criminal, to outright
privacy violations.

~~~
hoggle
Those people are the best, I have been admiring them for a long time.

[http://www.google.com/search?&q=electronic+frontier+foun...](http://www.google.com/search?&q=electronic+frontier+foundation+donation)

------
apu
I know we have several HN users who work at facebook. Do they:

1\. Not care?

2\. Not see this happening?

3\. Not see anything wrong?

4\. Can't do anything?

5\. Know the "truth," which is substantially different than that being
reported?

It seems like one of these ought to be true, and at least in the case of (1-3)
should be able to report as much to us.

~~~
hoggle
If I were working at Facebook this would be the time I would quit. In these
times of almost endless opportunities not being able to be working _socially_
responsible while still creating value plus being my own woman/man seems
somehow anachronistic to me.

~~~
pyre
> _In these times of almost endless opportunities_

I think that you forgot to suffix that with "for developers in Silicon
Valley." With the high unemployment rates, I presume there are a lot of people
that don't have the luxury of tossing a job due to moral/ethical dilemmas.

~~~
derwiki
Turns out the people in question _are_ developers in Silicon Valley, and I'm
pretty confident a Facebook engineer could get another job in the valley if
he/she wanted.

------
ErrantX
Let's take a small step back here; just like the anti-Google sentiment that
was about a few months back it seems is Facebooks turn to face the fire
(mostly their fault).

A lot of what they are doing is, at best, ethically unsound or, at worst,
privacy invading. In this case I'd say (from initial reading) it sits on the
scale slap bang in the middle of _"a douchebag thing to do"_.

But. It doesn't feel _hypocritical_ because their argument is that their ToS
attempt to deny users the right to access their accounts this way. The Email
services, _as far as I am aware_ , that FB scrape either explicitly allow _or_
do not disallow such action. It seems "axe grinding" to bring that into the
discussion.

Notably this article does not appear to discuss or link to articles about the
suit Facebook has filed [meta point: I hate that, it feels sneaky]. It appears
(from research) that it is an long running dispute between Power and Facebook.
They have also filed Trademark infringements and other stuff against them at
the same time (no comment on the general legitimacy of such claims for the
moment).

I haven't fully digested all the information to have a complete opinion on
this but... I think that this is part of Facebook trying to win the wider
battle with Power.com, I'm not sure it reflects a deliberate move by them to
try and turn ToS violations into criminal violations. However I am definitely
in agreement with the EFF that if a potential side effect of any eventual
ruling will bring in such criminal elements then it is a bad thing and should
be fought. Hopefully when I can actually open all the PDF filings the picture
will be clearer :)

References (I believe this is the suit being referred to):

[http://www.niallkennedy.com/blog/2009/01/facebook-vs-
power-v...](http://www.niallkennedy.com/blog/2009/01/facebook-vs-power-
ventures.html)

[http://jolt.law.harvard.edu/digest/9th-circuit/facebook-
inc-...](http://jolt.law.harvard.edu/digest/9th-circuit/facebook-inc-v-power-
ventures-inc)

[http://en.wikipedia.org/wiki/Facebook,_Inc._v._Power_Venture...](http://en.wikipedia.org/wiki/Facebook,_Inc._v._Power_Ventures,_Inc).

EDIT: amusingly TechCrunch seems to have the best summary of things from last
year... [http://techcrunch.com/2009/07/09/powercom-countersues-
facebo...](http://techcrunch.com/2009/07/09/powercom-countersues-facebook-
over-data-portability/)

~~~
VBprogrammer
I find in a surprising number of instances today's hacker news is tomorrows
mainstream news. If the tech blogs are buzzing with this story today you will
often find this as a side story on mainstream news sites (the bbc etc)
tomorrow.

This will get facebooks attention.

~~~
ErrantX
I doubt they will do it full justice - there is over a years legal dispute in
the background of this.

What the EFF are worried about (I've read their submission but the original FB
brief is downloading reaaaaly slowly) is that where Facebook are claiming
_Power_ have committed a criminal offence in ignoring a cease and desist and
accessing peoples accounts (apparently contrary to the ToS) the extension that
could come from a favourable ruling is that individuals may be breaking
criminal laws too (Cal sec 502(c) in particular).

Clearly that is silly and the EFF are asking the courts to see that.

------
ajg1977
Lately Facebook seem all to happy to trade the goodwill and trust of their
users for control and monetization over their data.

It's getting a little creepy.

~~~
jessriedel
I agree, but the prevalence of FB on the HN front page is a little suspect.
There have been at least 10 negative FB posts on HN in the past couple days. I
think someone's got an axe to grind...

~~~
codingthewheel
That someone is "people" and the axe they have to grind is "stop trolling the
personal data you unscrupulously collected from us in the first place by
hoodwinking us into thinking you actually MEANT the meaningless drivel in your
privacy policy."

~~~
ErrantX
I've not fully kept up with all the stories recently (been busy, I have a
pretty open FB account anyway etc..) but as far as I was aware the only really
problematic thing (from a privacy perspective) was the new favourites/likes
etc. thing where certain things can appear on the "fan" page without you
really realising.

I wasn't aware of anything else specific that was bending the privacy policy
to the limit? Anyone care to fill me in on the TL;DR version?

(the social graph, as far as I saw, obeys your privacy settings)

~~~
megablast
Selling all your details to advertisers.

Constantly changing what is private and what is public.

Getting upset at someone using the data that they provide to the public for
research purposes.

There is more.

~~~
kmavm
"Selling all your details to advertisers."

Simply, no. There is no check you can write to facebook to in order to get a
particular facebook user's, or set of users', information.

~~~
yellowbkpk
Nope, they give it out for free via the graph API.

------
lukev
I agree with the EFF 100% in the article. But it's not always so clear.

What if I agree to developer Terms of Service that say I can't disseminate
users' information, then publish a Identity Theft Target List with information
pulled from the Facebook API?

Seems like that should be a criminal violation, even though I "only" violated
a TOS.

~~~
scott_s
I don't think your list would be substantially different from a phone book.

~~~
lukev
The way Facebook is going, and with how many people absolutely fail to
understand what security settings it does provide, it'd be pretty easy to cull
a list of all residences in the past 5 years, city of birth, mother's maiden
name, favorite band, favorite pet, first boyfriend's name, and a decent photo.

~~~
jrockway
You should do it!

Remember that Palin's Yahoo! mail account was hacked because someone figured
out the answer to her security questions. Security questions are a dumb idea.
Send me a fucking SecureID...

~~~
paulbaumgart
Would the impact of such a list really outweigh the risk of aiding and
abetting identity theft?

There's probably way to accomplish the same effect without making the
aggregated data public. Maybe sharing the results with some news outlet?

~~~
jrockway
Wikileaks?

------
pierrefar
Geez facebook. Bye forever. Account not just deactivated, but deleted.

~~~
natrius
That is quite possibly the least effective means of protest I can imagine.

~~~
kevinh
How?

I can imagine less effective scenarios. 1) Not changing your life at all. 2)
Not touching your Facebook page again. 3) Dressing up in a chicken suit and
dancing around a major intersection. etc.

If you delete your Facebook page, it's one less user that Facebook can claim
to have; if enough people do it, it could put a dent (however minor) in their
bottom line.

~~~
natrius
As with any sort of vote, it's not your vote (or account deletion) that
matters, it's the number of votes you convince people to make. It just seems
odd to me when people trumpet insignificant actions when they clearly won't
make a difference. If you want Facebook to change their policies, you're going
to have to do more than delete your account.

~~~
codexon
Every vote counts. What the masses lack in influence, they make up with in
numbers... unless you discourage them with comments like yours.

~~~
megablast
Every vote counts is a huge lie, perpetrated by those that govern, to make us
feel that we actually have a say in the government. So we don't actually try
to do something.

And you are not a mass, you are one person. And if your friends are anything
like mine, you are not going to convince them to leave. Most people are happy
to give up a little privacy, for the ease of keeping in touch with their
friends that FB offers.

FB has a critical mass, so it is not as easy as suggesting an alternative.

~~~
pyre
I think you're missing that point. By saying, "You're a single person, you
cannot affect change," you are discouraging _everyone_ that would have (in
this case) deleted their Facebook account. What if the number of people
independently inspired by such an article is enough to make a minor dent in
Facebook's bottom line? But they won't do that because of the constant beating
of the, "Your vote is just a single vote and cannot matter" mantra.

Sure, convincing a group of people to delete their Facebook accounts is better
than just deleting your own, but discouraging people en masse from enacting
simple changes also discourages emergent behaviours in the crowd before they
even start.

------
hans
Some day... that federated social networking channel will sprout up... and
each person can host their own identity and friends and silly wall posts on
the home workstation. Then we can forget about all the ad spam corporations
attempting to jack our shxt.

~~~
derefr
Who would own/host a conversation between you and friend X, you or X? Who
would have the right to "delete" it? The point of a social _graph_ is that all
the _useful_ information exists on the edges, not at the vertices.

~~~
hans
Sure, but if you think about it, you can host yourself as a vertice with all
these incoming / outgoing / directed or not associations and any available
number of key/value stores or open graphs for shared data, which could be
negotiated as needed. Services might crop up to provide this. It doesn't have
to be all users under 1 roof for the entire internet.

~~~
hans
And this fB open graph nonsense ... you'd have your own property sheet(s) of
namespaced attributes (or semantic triples) and websites can negotiate with
you for access. Ultimately no corporation would be able to dictate how your
data store can be used. Legally it would be your own data domain from the
ground up. Checkout VRM ...

------
DanielBMarkham
We need about 100 programmers to go out right now and start writing code that
allows users to download and update information from their Facebook social
graph. Let them fight a hundred legal battles instead of just one.

I've seen this coming for some time. There is going to be a war over who owns
the data about each person, the person themselves or some service provider. I
know that legally the service provider owns it, but I'm not thinking that is
the way most people see it. This is a case where the law has gotten very far
out of sync with the public (and with the first principles of natural law and
personal property, but that's a discussion for another time)

~~~
grellas
The EFF brief in this case states at page 7 that "Facebook users own the
information they store with the company" and that Facebook's "terms of service
confirm this and it is not subject to dispute here." (citing Facebook's
Statement of Rights and Responsibilities sec. 2,
<http://www.facebook.com/facebook?ref=pf#!/terms.php?ref=pf>).

That said, your basic point still stands because the issue is one of who gets
to _control_ the data about each person. In effect, Facebook has tried to trap
the data for its own exclusive use through its terms of service, even while
confirming that technical ownership lies with the user.

Some highlights from the EFF brief that bring out some of the tension on these
issues:

1\. FB is really trying to apply a heavy hand against third parties such as
Power Ventures who have the temerity to supply tools that allow users to gain
more control over their own data and how they use it. Section 502(c) of the
California Penal Code criminalizes unauthorized access to network data (among
other things) whenever someone "knowingly accesses and without permission"
does certain things with such data (including if someone merely "accesses or
causes to be accessed" such data). The major 502(c) precedent of a thirty
party getting busted by Facebook itself is the case of ConnectU, which had
been sued by FB for scraping email addresses of non-ConnectU customers from
the FB site and then spamming them. In that case, the access violated
Facebook's terms of service and ConnectU was found liable. However, ConnectU
had accessed the information from FB users who had _not_ given it permission
to gain that access. ConnectU had argued that it did not violate 502(c)
because the users had made their email addresses available to FB and that it
thus did not engage in unauthorized access in violation of the statute. The
court disagreed, finding that the FB users could disclose their email
addresses for "selective purposes" only without giving third parties broad
rights of access to them. Given this precedent, FB is claiming that Power
Ventures is similarly liable for gaining access to FB user data in violation
of FB terms of service. Thus, the key distinction by which EFF seeks to
distinguish the precedent is by saying that, here, the users not only own the
data but also give their permission to Power Ventures to access it. EFF
further argues that any violation of FB terms by Power Ventures or by users
might be grounds for civil liability but is irrelevant to the question of
whether a criminal act has been committed by such access because the only time
this would amount to a crime is when a user's rights are violated by someone
who hacks into their data without their permission. Therefore, "[w]hen a
person is authorized to access certain information . . ., mere use of an
unapproved technology to access that information cannot constitute a criminal
act under California Penal Code section 502(c)." (Brief at p. 10) The EFF
brief (submitted as an "amicus" or friend-of-the-court brief) is compelling on
this point and makes FB's position look pretty laughable - I think the court
will side with Power Ventures on this one.

2\. FB has already won a round in this fight with Power Ventures by getting a
related ruling to the effect that the FB terms of service effectively deny
users the right to authorize circumvention of FB's technological protection
measures for purposes of copyright circumvention. In other words, even though
users might authorize a third party to have access to their information, FB
can block such access on at least one important ground via its TOS (thus
trapping the data for its exclusive use).

3\. In February 2009 Facebook tried to modify its terms of service to give FB
the right to continue to use content indefinitely, even if a user tried to
delete it or even quit the service. This created a firestorm and FB dropped
this effort. This was not for legal reasons but for practical ones - it could
not afford to alienate users in this way.

4\. The civil claims that Facebook might assert against third parties for
violations of its terms of service are considerable and this appears to be the
main vehicle by which FB is trying to prevent others from gaining access even
if the users themselves are giving the third party permission to have such
access. The contract claims are pretty clear in such cases, and FB can even
terminate the accounts of users who violate its TOS in this way - but, again,
the tension point is that FB does not want to alienate its users even as it
seeks to corral their data for its own commercial use exclusively. Yet the
contract-type barriers are formidable in this respect and FB may well get away
with it if its TOS are ultimately upheld and are not found to violate public
policy so as to render them unenforceable.

My own observation: it seems that, more and more, companies are trying to set
up their own playgrounds where they control everything and capture the value
for themselves (the parallel with 3.3.1 in Apple's terms of service cannot but
come to mind). In each case, third parties attempt to gain access to the
walled-off platform in an attempt to make its value (information in the case
of FB; apps in the case of Apple) accessible to other competing platforms and
are met with stiff resistance in the form of overbearing terms of use that
seek legally to prevent that value from being shared. Of course, in any such
scenario, two things happen: (1) the users lose because of the arbitrary
restraints; and (2) the law is pushed to the limit and questions begin to
arise about how enforceable some of these restraints really are. All this will
be tested over time but the battle is already pretty fierce.

~~~
DanielBMarkham
I agree, grellas, and although I use the word "war" with some concern, in this
case I believe this is truly an economic and personal property conflict which
is already politically intense and threatens to continue escalating.

The theory is this: are computers, programs, and data pieces of external
property that can be manipulated in a traditional manner by the courts? Or are
they extensions of the individual's mind? I think the law views it as the
former, but I think the citizenry is more and more viewing it as the latter.
And no amount of precedence or legal force is going to change that. Sometimes
the law IS an ass. You can have all the Facebook Dred Scott cases you want,
and it's only going to make matters worse.

I have been standing by mostly idle as this developed, but I more and more
feel compelled to act -- protest, write letters, petition, sue, etc. That's
unusual for me, as I am not an activist by any means.

------
pstevensza
So what's a viable strategy for complaint? People are used to ignoring EULA's
and TOS by now. They just want to use Facebook, comment on photos, join
groups, play games and keep in touch with friends and family. They don't see
this kind of thing as a violation. As long as they're accessing their
information on www.facebook.com (accessed by a Google search), why would this
worry Joe Average User? Some will see it as a good thing, as it would be
effectively illegal for anyone to aggregate their information outside of
Facebook. Most of the people I quiz about Facebook don't know who Mark
Zuckerburg is, much less care what he does with their data. What worries me is
that the route to the escape hatch is buried ever deeper with each
reincarnation of the interface and the privacy settings are more complex and
time consuming than configuring a robust PF firewall. I'm also considering
switching my marital status from single to married just so that I can see ads
that don't have anything to do with hook up sites. I would consider an insider
protest, where I splash privacy concerns on my wall in my friend's news feed,
but they all know where the hide button is. A more interesting approach would
be targeting friend's data from outside the site, building a profile and using
it nefariously as an object lesson. I fear though that the net result would be
a response along the lines of: "This is why Facebook are making this kind of
thing illegal". Ultimately, I think you're forced to vote with the delete
button. 400-million people who consider E! Entertainment an educational
documentary channel really don't give a hoot. Given the vast amount of
government and corporate meddling that they already ignore, this is simply one
more thing to add to the pile. I do care about it, I support the EFF with a
monthly debit order and I talk to people about the concerns. Many just don't
see Facebook's actions as an issue.

------
nfnaaron
gmail TOS:

<http://www.google.com/accounts/TOS?hl=en>

6\. Your passwords and account security

    
    
        6.1 You agree and understand that you are responsible for maintaining the confidentiality of passwords associated with any account you use to access the Services.
    
        6.2 Accordingly, you agree that you will be solely responsible to Google for all activities that occur under your account.
    
        6.3 If you become aware of any unauthorized use of your password or of your account, you agree to notify Google immediately at http://www.google.com/support/accounts/bin/answer.py?answer=58585.
    
    

It's not absolutely clear, but 6.1 says to me "don't give your password to
anyone." Whether it's for auto-scraping or not. If I give my password to FB to
scrape my contacts, I (but not necessarily FB) have violated 6.1 because my
password is no longer confidential.

So FB is at least relying on someone (me) violating TOS.

------
mkramlich
I tricked Facebook. When they agreed to give me a profile they implicitly
agreed to my own ToS. One of the many many intentionally exotic and arcane
terms in my own is that they must give me a new pony every Tuesday. Since it
is Tuesday, and I have no new pony, they are in violation. Next comes
escalation into full-blown criminal code violation, woohoo!

------
FluidDjango
"Legal Director Cindy Cohn: "If Facebook's legal argument is upheld, it will
hobble companies that enable consumer choice, as well a create a massive
expansion in the scope of California criminal law.' "

Or: it will further open up a toehold for new startups to develop alternatives
to Facebook - alternatives that treat their user communities better.

~~~
shadowfox
The trouble is that alternate networks to Facebook need a certain critical
mass in order to succeed

~~~
iamdave
And do so quickly.

------
DanBlake
The scary part is the court may agree.

Recently there was a case ( MDY industries vs Blizzard ) in which they argued
that because MDY broke the EULA for Blizzard's software, they were no longer
authorized to use the software, and in such- copyright infringers. The judge
agreed. ( its now on appeal )

~~~
keltex
That's different. It was a civil issue. This is where facebook is trying to
make it criminal.

~~~
DanBlake
I know its different. I was referencing a previous case that held that
disobeying EULA terms can have farther reaching claws than simply breach of
contract.

------
woodson
Is there a service that "likes" everything that is suggested, uploads pictures
of other people tagged with my name, and tags pictures of me with other names?

The way I see it, the only way to continue using facebook for its actual
purpose (social interaction??) is to have my data tainted in an (non-machine-
detectable) obvious fashion so it becomes useless for most automatic
classification/categorization attempts.

------
wisty
Shouldn't consumer protection law render this kind of ToS unenforceable? When
car manufacturers tried to ban third-party parts, that was shot down. Surely
this could be extended to user data?

------
thentic
Given that privacy policies and TOS change on most websites, is there any
merit to a 'bait and switch' argument or anything like that?

I remember a recent commenter suggesting there was but didn't see any follow
up.

Conceptually, there is no contract between FB and its users. It's use at your
own will; essentially a one-way deal and therefore cannot be a contract. That
said, knowing they monetize our content, can argument be made that our content
is 'consideration' and therefore a contract is implied?

------
datums
“After discussing the issues with Power.com for about a month without reaching
a resolution, we filed a lawsuit to enforce our terms of service, maintain the
integrity of our site and to assure our users’ privacy and security are
protected,” said Barry Schnitt, a Facebook spokesman.

What ?? source [http://bits.blogs.nytimes.com/2009/01/02/facebook-sues-
power...](http://bits.blogs.nytimes.com/2009/01/02/facebook-sues-powercom/)

------
dalore
So is using facebook's API to access facebook against the TOS?

------
bertm
Correct me if I am wrong, this seems like a far leap from what the law was
intended to do. The ruling would mean good for Facebook and bad for our
society.

------
th0ma5
No access through automated means? Browsers automate HTTP, and hence TCP, and
IP fairly completely... I guess I could go a layer lower and do all my
facebook through Telnet and manually typing GET / HTTP/1.1 but somehow I would
think they would find a way to say that is more automated, or scripted or
something. This company must be some kind of commercial threat more than
anything, and the lawyers are reaching.

------
catfish
<http://news.ycombinator.com/item?id=1291871>

How timely this post by sushi!!!!

------
what
> Facebook claims that Power's tool violates criminal law because Facebook's
> terms of service ban users from accessing their information through
> "automatic means."

So what is the point of the Open Graph then? Doesn't that allow me to access
my information through automatic means or am I misunderstanding something?

~~~
apike
It appears they want Open Graph to be used in response to user actions that
are explicit and specific to Facebook, rather than behind-the-scenes
aggregation or polling of any sort that keeps your data in sync with other
services. Quite a fine line.

~~~
what
Hmmm, so anything goes as long as people still have to go to Facebook.com to
get their updates.

------
gills
Agreement between private parties != legislation.

Why is this simple notion mentioned nowhere in the EFF letter?

~~~
pohl
As much as I hate the idea of defending FB, the article clearly mentions
California computer crime law, which is legislated, as part of FB's argument.

The EFF lawyer knows this, and that's why your inequality wasn't mentioned.

------
ajju
Shame on you, Facebook.

------
fareskaram
Or what? You'll stop using it? Other people?

<http://welcome-to-croatia.com/holida...tia-apartments>

------
ilitirit
Simple solution: Facebook should just delete the offenders' accounts. If we
get enough people to do this then pretty soon we won't have to read about
Facebook on HN ever again.

------
alexyim
Facebook is pretty evil.

------
cookiecaper
This is interesting I guess as I've been considering scraping pieces of
Facebook recently. They are crazy.

------
clammer
The question isn't weather Facebook's TOS makes sense, but if violating them
is criminal.

It should be up to facebook to find and ban violators from their system. TOS
is not a contract and, even if it were, a contract dispute is a civil case not
a criminal one.

Comment TOS: Reading my comment is strictly prohibited. Violators will be
punished to the fullest extent of the law.

------
kylelibra
With all this talk about deleting facebook accounts, has anyone ever
considered if it might be more effective to get an account banned? You could
spam a bunch of people until you get your account permanently banned, I would
think that banned accounts eventually get deleted.

~~~
tokenadult
_You could spam a bunch of people until you get your account permanently
banned, I would think that banned accounts eventually get deleted._

To the contrary, if Facebook is advised by competent lawyers, I would expect
them to make banned accounts invisible to the public but to keep them in their
business records indefinitely.

