Facebook is proposing a broad range of updates to its governing documents, the company announced today. It’s a complex combination of simple clarifications and significant changes.
The updates could impact everything from the company’s pending location service, to developers and advertisers on the platform, to how users can represent themselves and interact with each other on the site, to how third parties can obtain user data without explicit permission. The last point is perhaps the most interesting.
But first, some important information to take note of.
Facebook has been trying to give users more clarity around its various terms of service, and this is its latest effort on that front. The company says users will have around seven days from now to provide feedback — until 12:00am Pacific Time on April 3, 2010.
Also, the changes are meant to help prepare users and the company for future launches, as it says “not all of these products have been finalized and many aren’t yet built at all.” Many of the possible launches, though, are likely come at its f8 developer conference happening on April 21.
Now, here’s our look at what appear to be the most significant differences in the documents, in the order they appear in each document. We’re passing over the smaller changes and most of the clarifications, but be sure to check out the red-lined version for yourself, if you’re interested in every detail.
Statement of Rights and Responsibilities
For clarity, we’re putting new text in italics, using the proposed version of each document.
2. You will not create more than one personal profile.
3. If we disable your account, you will not create another one without our permission.
Analysis: Lots of users have more than one account, whether to establish a private versus more public identity, or because they want an extra one to play games with, or whatever other reason. Facebook doesn’t want this happening, though, because it wants a single user identity to accurately reflect all of the person’s real-world relationships. Also, the latter line suggests Facebook wants to make its right to keep people off the site even more obvious.
5. Protecting Other
9. You will not tag users or send email invitations to non‐users without their consent.
Analysis: It’s hard to see how Facebook can enforce the fact that a user has obtained consent before tagging someone or inviting them to Facebook or to an application on the site. But it’s interesting that the company added “tag users” here, anyway, because the European Union is currently looking into privacy practices among web companies including Facebook.
One result, for example, is an article like this one from the Associated Press: “You have been tagged in 12 photos. Even if you’re not signed up to the Web site.” The lede obviously refers to the fact that Facebook users can tag people in photos who are not on Facebook, and notify those people via email that they’ve been tagged — one of the EU’s concerns. Whatever happens with the EU, Facebook appears to be making a pre-emptive move on the photo-tagging example by using its terms to put the responsibility on users when they use the feature.
3. You provide all rights necessary to enable users to sync (including through an application) their contact lists with any basic information and contact information that is visible to them on Facebook, as well as your name and profile picture.
Analysis: This entirely new clause reiterates a feature that Facebook already offers, which is letting third parties sync some contact information. More on this below.
Provisions Applicable to
2. You give us permission to use and allow others to use such links and content on Facebook.
Analysis: Perhaps Facebook will be trying to provide third-party access large batches of information about the most popular shared links on Facebook? This could be valuable for anyone in the news aggregation business, for example. More likely, though, the adjustment to this phrase reflects the fact that Facebook lets users re-share links that their friends have posted already.
9. Special Provisions Applicable to Developers/Operators of Applications and Websites
2.6. You will not directly or indirectly transfer any data you receive from us to (or use such data in connection with) any ad network, ad exchange, data broker, or other advertising related toolset, even if a user consents to that transfer or use.
Analysis: This entirely new clause strongly suggests that some online advertising companies have been doing exactly what it says they shouldn’t be. This is unsurprising given that many online advertising companies have built their businesses on secretly buying and selling user data, however that data might have been gained, then using the information to do things like target ads. It’s not clear how Facebook can enforce their good behavior on its site, but the clause is a good first step to limiting abuse.
2. Information We Receive: Information you provide to us: Information About Yourself
….Once you register you can provide other information about yourself by connecting with, for example, your current city, hometown, family, relationships, networks, activities, interests, and places….
Analysis: This is interesting to anyone focused on the potential of Facebook to create location-based services. As the company explains in its changes overview blog post, it has cut out a section it added last fall defined around “location.” It is now using the term “Place” to mean, for example, “a Page, such as one for a local restaurant.”
While it’s unclear exactly what Facebook means, it sounds like the company wants to tie location in with other key parts of its site, so users intuitively think of location as part of bigger concepts. In the restaurant example, it would have both a location and a Page, but Facebook would present that information as two parts of the same thing.
4. Information You Share With Third Parties: Connecting with an Application or Website.
When you connect with an application or website it will have access to General Information about you. The term General Information includes your and your friends’ names, profile pictures, gender, connections, and any content shared using the Everyone privacy setting. We may also make information about the location of your computer or access device and your age available to applications and websites in order to help them implement appropriate security measures and control the distribution of age-appropriate content. If the application or website wants to access any other data, it will have to ask for your permission.
Analysis: This paragraph sums up the big privacy changes that Facebook made this past winter, when it did things like require that all sorts of basic information be publicly available for every Facebook user. Not every user was happy with the changes, but the company believes it needs this baseline level of openness to make its service work. The move, as we wrote at the time, was part of Facebook’s long-term plans to make its entire service more open. And sure enough, the next big change shows the impact.
4. Information You Share With Third Parties: Pre-Approved Third-Party Websites and Applications.
In order to provide you with useful social experiences off of Facebook, we occasionally need to provide General Information about you to pre-approved third party websites and applications that use Platform at the time you visit them (if you are still logged in to Facebook). Similarly, when one of your friends visits a pre-approved website or application, it will receive General Information about you so you and your friend can be connected on that website as well (if you also have an account with that website). In these cases we require these websites and applications to go through an approval process, and to enter into separate agreements designed to protect your privacy. For example, these agreements include provisions relating to the access and deletion of your General Information, along with your ability to opt-out of the experience being offered. You can also remove any pre-approved website or application you have visited here [add link], or block all pre-approved websites and applications from getting your General Information when you visit them here [add link]. In addition, if you log out of Facebook before visiting a pre-approved application or website, it will not be able to access your information. You can see a complete list of pre-approved websites on our About Platform page.
Analysis: This one’s potentially a very big deal. “General Information” basically means information that Facebook has already required users to agree to make public, as we noted in the previous section. So, Facebook’s thinking here seems to be “now that we’ve made all this information public, let’s see what we can do with it.” Third parties can already gather “General Information” using the Platform, Connect, search engines, etc. so this “pre-approved” concept seems intended to streamline usage. Companies that are pre-approved are not getting special access to any data, as far as we can tell, they are just getting quicker access.
But there are lots of interesting questions around the wording of this section. For example, what exactly does the reference to “opt-out” mean? Will each pre-approved site be required to offer some sort of opt-out button when users first come to the site, or will they be able to hide that feature somewhere and auto-register users when they show up?
We don’t have a clear idea how the “pre-approval” change will work, but the ambiguity already has people wondering if users will be forced into signing up into sites they happen to visit, without being able to avoid doing so. When we asked for more details, Facebook only responded with this general point: “The specific agreements that these trusted partners will need to enter into will require them to provide a clear and prominent way for people to opt out of the personalized experience on their site. In addition, there will be a control on Facebook to manage these partner sites’ access to information.
Without more information, it looks like Facebook is aggressively trying to push Connect around the web. The company risks generating a considerable amount of user confusion and animosity with this process. It’s managed to overcome past mistakes — like its Beacon advertising program, which showed users’ activity on other web sites to friends on Facebook without permission. But we wonder how it’s going to ensure privacy and goodwill with this feature.
We also suspect that the clarification about “General Information” and the “pre-approval” addition are both tied directly to Facebook’s plans for its Open Graph API. Although there aren’t many details about that product, it is likely to launch at f8, and will provide features such as the “like” button on other sites. This would make it even easier for Facebook users to send and receive all sorts of information between the site and the rest of the web — and cement Facebook’s position as the central destination for consuming web-wide information.
4. Information You Share With Third Parties: Exporting Information.
You (and those you make your information available to) may use tools like RSS feeds, mobile phone address book applications, or copy and paste functions, to capture, export (and in some cases, import) information from Facebook, including your information and information about you. For example, if you share your phone number with your friends, they may use third party applications to sync that information with the address book on their mobile phone.
Analysis: This line matches the clause change we noted in the SRR. Facebook wants to make it clear to users that third parties could be getting access to things like your phone number. Sounds like we might see some cool new uses of Facebook’s address book in the near future.
4. Information You Share With Third Parties: Advertisements.
Sometimes the advertisers who present ads on Facebook use technological methods to measure the effectiveness of their ads and to personalize advertising content. You may opt-out of the placement of cookies by many of these advertisers here. You may also use your browser cookie settings to limit or prevent the placement of cookies by advertising networks.
Analysis: Facebook, to our knowledge, has not previously said that online advertising companies on its site are using cookies to measure and target ads. Cookies are a routine way that Google, Facebook and countless other web companies measure and advertise to users; cookies are also required for many features across the web, like logging in in most cases.
7. How You Can Change or Remove Information: Limitations on removal.
If you have given third party applications or websites access to your information, they may retain your information to the extent permitted under their terms of service or privacy policies.
Analysis: Facebook has added a last clause to this part, suggesting that aside from the new 4.2.6. clause limiting advertiser abuses, there are many circumstances where users somehow share information with third parties that goes beyond its control. The reality here is that Facebook does not have watertight mechanisms for limiting what companies can get access to what data.