Ask an Engineer: What do you think of the Facebook Terms of Service Flap?
If you haven't been paying attention to this week's flap on Facebook's revised terms of service - posted three days ago and retracted today - Andrew Lavelle of the Wall Street Journal published a good recap today. The controversy relates to what rights does Facebook get to content that an individual Facebook user posts? There are a lot of good arguments about what rights people think Facebook should be able to retain, but there's a second level of discussion that relates to how people expect Facebook privacy settings to work, and how these expectations make it difficult to craft an agreement that seems fair, makes sense, and corresponds to what Facebook actually implements and enforces.
Lavelle quotes Techcrunch's Erik Shonfeld: “If I upload a picture which I later regret uploading, why shouldn’t I be able to erase it from Facebook forever, even if some of my friends have already seen it?”
Facebook's Mark Zuckerberg's Monday 5:09PM post said:
"Our philosophy is that people own their information and control who they share it with. When a person shares information on Facebook, they first need to grant Facebook a license to use that information so that we can show it to the other people they've asked us to share it with. Without this license, we couldn't help people share that information.
1) Grant Facebook rights subject what you ever posted to your Wall or someone else's Wall subject to your privacy settings which you can change at any time. This require Facebook to restrict future access to whatever you have posted or shared directly or indirectly with others using Facebook when you subsequently change your mind or leave Facebook and cancel your account (e.g. Ted Nelson style enforcable “transcopyright”).
2) Grant Facebook rights to use copies of your content (the copyrighted email message model) that you post to your Wall or someone else’s Wall directly or using a third party’s Facebook API. You arguably have a legal right to restrict future use of copyrighted content distributed to others via third parties, but don’t have a practical way to retract content that has been copied and stored outside Facebook’s direct control.
Zuckerberg argues that the content of your Wall might disappear or be restricted based on your privacy settings (or disappear if you cancel your account), but whatever you've posted to someone else's Wall might be retained by Facebook - and deleted or restricted by the owner of that Wall. This may or may not be what you want - and not how I read what Facebook's promised to do in Mondays (retracted) revised terms:
"You are solely responsible for the User Content that you Post on or through the Facebook Service. You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof. You represent and warrant that you have all rights and permissions to grant the foregoing licenses."
My reading of this was a promise to respect an individuals privacy settings for whatever that individual posted to their own Wall or anyone else's Wall - directly or indirectly - in exchange for rights to copy distribute that content. If so, Facebook is setting a pretty high bar for what they have to implement.
I read Monday's version as a promise to track sharing rules based on Facebook privacy settings as you may change them over time. If so, it looks like developers who use the Facebook API need to reference the current value of per user privacy settings that are authoritatively maintained by the Facebook platform. Not a bad position for Facebook as the gatekeeper for all runtime access - but not easy to craft an agreement that “make sense”, is broad enough to protect Facebook, matches what they actually implement, and can be enforced on their Facebook API developers who also need access to user content.
For comparison, Traction TeamPage uses run-time transclusion with permission checking to grant or deny access to to posts, pages, comment and tags (as well as what you can see by navigating, searching, Jabber or email notification and RSS/Atom feeds).
The TeamPage model uses permissions attached to the content of specific work spaces rather than individuals, but allows private comments in one space (e.g. the Support project) to be added to any paragraph of a more public space (e.g. a customer Forum), and shown only if the reader has permission to read the top level entry and the spaces(s) in which comments on that entry are posted.
This makes it easy add or remove a person from the access list of the Support project, and instantly change the page content, comments, tag clouds and search results that person can see.