/home/dhananjay

This post appeared on on Feb 16, 2009 on my software development blog : /var/log/mind. It is one of two posts I decided to cross post into this blog as well.

Update: Facebook has since reverted the change in terms of service. Cool. On Feb 18th, a message on the home page said :

Terms of Use Update

A couple of weeks ago, we posted an update to our Terms of Use that we hoped would clarify some parts of it for our users. Over the past couple of days, we have received a lot of questions and comments about these updated terms and what they mean for people and their information. Because of the feedback we received, we have decided to return to our previous Terms of Use while we resolve the issues that people have raised. For more information, visit the Facebook Blog.

Mark Zuckerberg also blogged about the same issue in Update on Terms.

Original post begins here.

Facebook published a new Terms of Service on February 4th 2009 which has a strong implication for how internet / cloud based data privacy is likely to be viewed. This was very well publicised here – Facebook’s New Terms Of Service: “We Can Do Anything We Want With Your Content. Forever.”. There was some consternation on the net especially on twitter about this change in facebook rules. While I did not use facebook much, I was sufficiently appalled at the change in rules to go and delete pretty much most of my data one line at a time. It is unclear to me if the old data is still available to facebook for sublicensing from a legal perspective (I know all the data will be there in their archives), but I decided it probably wouldn’t hurt to nevertheless to go delete most of it. I didn’t actually delete the account since Facebook still helps me keep in touch with my friends. But it is quite safe to assume that any interactions with them with an assumption or requirement of any data privacy will no longer be done on facebook.

Whats wrong with the new terms of service ?
Some people in forums argued that most of the data on internet is likely to be there forever. So one just needs to be careful and not worry about it. I don’t quite agree with that line of thinking. When I blog, tweet, post to usenet or forums, I am upfront aware of the fact that that data is going to be cached by google and other search engines and that once I press the publish button, there’s often no way to revoke it. However in case of Facebook, there is a general expectation that the data will be shared only within a network of friends, a network that I have control over. There is an expectation that that data will not get cached by search engines and short of an accidental data breach or some intentional malafide activities that data will not become public. What is unnerving with the new terms of service is that Facebook changed these rules at will without even sending me an email about the same.

Asymmetry of Privacy Expectations :

It is interesting to note how asymmetric some of the terms are. For example in the section User Content, the following is to be found.

By using or accessing the Facebook Service, you represent, warrant and agree that you will not Post:

* User Content that violates the law or anyone’s rights, including intellectual property (“IP”) rights or other proprietary rights (such as rights of publicity and privacy);
* any Contact Information or private information of any third party;

Further down in the section Licensing, it states,

You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof.

As you can see, you undertake to not violate anyone else’s IP or other proprietary rights, but information about you will not be treated with the same level of respect by Facebook, though its done quite legally by documenting the same in the Terms of Service.

Moreover anything you post or any information on your stream is now sub-licensable by Facebook. Now why would I exactly want to sign away all rights on status updates, photographs etc. on content which I posted assuming that it was secure and private ?

But the earlier terms were also quite onerous. So how come you did not complain ?

Apparently under the earlier terms, facebook also had the rights on the content, so whats the big deal ? Two main issues.

1. The earlier TOS did not grant Facebook the right to sublicense the content : The possibility of sublicensing means you have no control or idea on who the eventual user of that data could be. I still get angry at so many commercial parties at having leaked my email and phone number data. The likelihood of a similar scenario where facebook sells that data for commercial purposes now cannot be ruled out, purposes on which I will have no control on that data.
2. The earlier TOS had an escape clause of deleting the account Basically Facebook did not have the right on the data once you deleted the account. This is important as can be seen by another case on Twitter Privacy Disaster At Twitter: Direct Messages Exposed (Update: GroupTweet Is Likely Culprit). In this case private messages were apparently accidentally made public due to confusing software usability. The person immediately responded by deleting the account. This is a useful kill switch to have in case one makes a terrible terrible mistake of putting out something accidentally. This kill switch is also no longer available.

Bait and Switch : By not informing users of the change in terms of service especially since these were so important, I think this creates an impression that the user is a victim of bait and switch (even though the real underlying causes of the change which I am unaware of could be different). Facebook should’ve informed the users about the change in rules, offered a button to delete all prior data / photographs / content or at least made clear that the earlier content will continue to be governed by the earlier TOS – something thats a little unclear in this situation.

Implications for Internet Web sites and users : I think sites should very clearly document how they will control and use the data that they gather. Many of them do by explicitly document the same. Moreover any substantial changes to the same should be communicated to the users. Finally users need to be now aware of potentially changes of Terms of Services on a number of web sites that they interact with. Data that they assume to be private may no longer stay so and the user may not be any wiser about the same if the Terms of Services are changed without him being explicitly informed.


Updates :

Why did I delete the data ? Seems some readers are thinking I deleted the data believing that that will get rid of it. Thats not why I deleted the data. I am fully aware the data is likely to live perpetually in facebook archives and be accessible to facebook. I deleted it because that data had been submitted and generated under the old Terms of Service. Letting it be around to me seemed like an implicit acceptance of the new Terms of Service around old data, which I was uncomfortable with. So I deleted the data at the first available opportunity on realising that the Terms of Service around that data had changed. Any new interactions I do with facebook will be under an awareness of and therefore an acceptance of new Terms of Service.

Response from Facebook : Mark zuckerberg attempts to address the issue on facebook blog : On Facebook, People Own and Control Their Information. I could not find any rationale to why Facebook needs the privilege to sublicense the content. I also thought the way the blog post was written and the way the Terms of Service are structured are very very different. In my opinion its the Terms of Service that count.

This topic has been also getting a lot of traction on other blogs. Am quoting some other interesting opinions on the topic on the internet along with link backs to the posts below

• cnet News.com : The Open Road : Facebook changes terms of service to control more user data :
  

  Google has had its own problems with user privacy, but this Facebook move calls into question the wisdom of clouds or, rather, storing one’s data in others’ Web services like Facebook. We need to come up with new licenses or new mandates for open data in the cloud. Facebook shouldn’t own our data.

• Mashable : Facebook: All Your Stuff is Ours, Even if You Quit :
  

  The possible implications of this TOS change go beyond these concerns. Sure, you can choose not to use Facebook at all, but that doesn’t mean a thing. Someone can still take your photo, slap it on Facebook, and now neither you nor the author of the photo can stop Facebook from using the photo in whichever way they please. Looking at it globally, millions of people are uploading bits of information on everyone and everything, to a huge online database, and by doing so they’re automatically giving away the rights to use or modify this information to a private corporation. And not only that; they now also waiver the right to ever take it back from it.

  Facebook should take a long, deep look into how it treats its users. Until now, users had options with regards to how the data they generated on Facebook was used. Now, they have no options whatsoever, rather than quit the service altogether. It’s a major difference; I’m not going to take it lightly, and neither should you.

• Wet Asphalt : The Facebook Freakout :
  

  You are only granting those rights “on or in connection with the Facebook Service or in the promotion thereof.” What does that mean? Well, it means that you are licensing the use on Facebook branded websites or any other media and the Facebook Platform, which is the legal name for the APIs that allow third parties to create Facebook applications. So if there was a Facebook TV show, they could use your stuff on that. Or if they launched a Facebook concert series or a Facebook magazine, they could use your stuff in that. Presumably, if there were a Facebook dogfood, they could use your content on that. Or if they wanted to make an advertisement FOR any of those things, they could use your stuff in that. Precisely WHY Facebook would want to do any of those things, I leave to the reader to speculate on. What they most emphatically CAN’T do is what Walters claims, that “We can do anything we want with your content forever.” They can do anything they want with your content ON Facebook or to Promote Facebook forever. But if they said that it probably wouldn’t cause the internet panic and generate hits for the consumerist and readers to stroke Walter’s ego with diggs and trackbacks and twitterposts either.

This post appeared on on July 23, 2008 on my software development blog : /var/log/mind. It is one of two posts I decided to cross post into this blog as well.

Just realised, have been blogging for more than 6 months now (actually I had started another blog ages ago .. but that tapered off soon then). Over this period, I believe I learnt or adopted a few practices. Just sharing them here. Feel free to comment. YMMV.

1. Treat your readers like a jury not as customers :By jury, I mean a jury as in a academic thesis not as in a court. Whats the difference ?
   • With customers you sell, with a jury you defend your perspective. You may think you are selling your views, but a jury doesn’t shell out any money to buy them. This makes a typical sales process a much more harder and onerous task than just defending. Most readers aren’t out to buy, they are out to learn more and interact more.
   • With customers you assume they may not know all about your product, so you focus on educating them in general towards making a pitch. With a jury you assume they already know far more than you do in general, but you attempt to educate them and draw them into a discussion into something specific that you have spent your time on, on something specific that you are presenting.
   • In a defense, the onus is on you to provide credible backing evidence. In a sales pitch the onus is on the customer to verify your pitch. Most readers would prefer to not carry the additional overhead of having to verify your statements. If you have provided the rationale for your statements clearly and supported it with available evidence if relevant, you have made the readers job much easier. You have increased the chances of the reader wanting to come back to your blog.

   
   

2. Make a strong statement. Avoid taking strong positions : Allow me to define this. By position I mean making absolutist statements without providing a sufficient context or a frame of reference or assuming ones own frame of reference as the only valid one. There is a wide diversity of readers out there. Some are into client side, some into server side. Some are into high usability, some into high speed processing. Some are doing graphics algorithms, some others are into CRUD and business validations. A large majority of your readers are likely to have a different frame of reference than yours. If they can’t understand where you are coming from, they will assume you are coming from the same context that they do. And they are likely to feel confused when what you say doesn’t end up matching their world view. A statement like “I found X more suitable than Y under a context Z” rather than a position like “X is better than Y” is more helpful since :
   • You get to describe your context. Your statement is a statement within a context. It is not treated as a blanket position. Readers with different contexts and divergent views can sometimes trace the differences to the context. Such readers can still suggest alternative views within other contexts easily without appearing to contradict you. Readers with similar contexts and divergent views can still choose to take you on.
   • You have lesser chances of being misinterpreted. You don’t want to get caught in an interview a year down the road when you are changing your job from writing a forms based application to one where you might be required to build say a graphics processing engine, where your interviewer might have just read your blog, and your posts actually do not make sense in the newer context.
   • When you make a strong statement without taking a strong position, readers record their agreement / disagreement with the post rather than you or your blog in general. I personally find that a much more comforting thought than readers choosing to agree / disagree with the blog in general.




3. Be prepared to update your blog soon :There is a large number of smart people out there, often a lot smarter than us, or having a difference experience set than us. As the comments start coming in, you start learning things you wish you knew before you wrote the post. If the comments indicate something useful and relevant to the post that you would’ve wanted to include in the post had you known about it earlier – go ahead, add it into the post. A convention I have seen is that all non trivial changes after the initial posting should be prefixed with the word “Update:” or “Updates:” so that readers can make out you’ve changed something after your initial post. A comment or two may be especially relevant. It helps to be able to review the comments regularly and update the post if relevant soon. If you are going to be traveling soon, either submit your post a little earlier or post it a little later – but post it when you know you will be able to review the comments and will have the flexibility to take 5 to 10 minutes off your regular work to update the blog if necessary.




4. Be prepared for surprises : Even if you write carefully you will end up making a small set of readers either happy or disappointed with you in a manner that will leave you puzzled. However hard you try there is a good likelihood someone is going to misquote you or take you on strongly in an unanticipated way. Some of this may be unavoidable and needs to be factored into your assumptions. However some of it will be avoidable, and do follow up such incidents to figure out if there are any learnings that you can apply the next time. A great way to do so is to write a mail back to the commenter or to the blogger who may have linked to your post and get a better understanding of his/her viewpoint.




5. Don’t title spam your readers : Every so often I come across a post with a provocative title, but which does not live up to the title at all. I prefer call this title spamming, since lot of the spam I receive has a provocative title, but often irrelevant content. Title is important. It influences readership strongly. But if you title spam regularly, it might help you get 2-3 posts higher readership, but its going to hurt in the longer run.




6. Understand how blog aggregators and networks work :It is important to understand the demographics of different blog aggregators. If you would like your blog to be read by larger number of people, be clear in your mind which demographics you are targeting when writing your post. Some aggregators like javablogs.com and artima.com will target specific programming languages and work off an RSS feed. Explore your blogging software and see if it offers category / tag based feeds. If it does use the categories / tags to ensure your rss feed registered with these aggregators sends only relevant posts to them. I use wordpress and it supports tag / category based RSS feeds. Networks like dzone.com, news.ycombinator.com, reddit.com, slashdot.org, digg.com have very different demographics. Don’t blanket post to all networks. Register your post with those networks where the readers are likely to find your post helpful. I have occasionally come across people wondering whether one should register one’s own posts to a network. My opinion is that it is an acceptable activity.




7. Ensure you have blog analytics enabled : Over a longer period of time you will start gleaning useful information about your readers. eg. what part of the world do they come from, which links do they come from (eg. you can get statistical information about the referrers such as google reader (RSS), blog aggregators, blog networks etc.). You can also get information about what searches led the search engines to your blog. I prefer wordpress.com stats plugin for wordpress and google analytics. The former is better at providing more immediate feedback, whereas the latter is more comprehensive.




8. Pay attention to search engines as well :Most blog aggregators and networks will drive substantial traffic to your blog for the first 24-48 hours. Search engines will send a small trickle initially. However there is a big difference. Traffic from aggregators and networks will dry up after a few days for any post. But traffic from search engines will keep on coming. Over a sustained period of time, search engines can start driving a substantial traffic to your blog. Read up about Search Engine Optimisation and see if you can help your blog. I would recommend however that you use such optimisation fairly and only to the extent that it is not misleading.

Yesterday, the Supreme Court of India in an important ruling refused to shield a 19 year old blogger from a responsibility to face the charges in a different state than the one of his residence. A few important implications stem from this which should be noted.

One important aspect which is perhaps easy to lose sight of in this debate is that the Supreme Court did not weigh in on the guilt or lack of it in this case, but on the fact that the person could not shy away from the responsibility to face the charges in a court. What should also be noted is that the underlying case is a criminal case and not for civil liability or libel, and seems to stem from an alleged death threat that was issued in the forum as per this article from The Telegraph.

The implications are relevant to bloggers, site maintainers, forum administrators, group moderators and perhaps even small commercial internet services dealing in opinions and expressions flow. In interest of brevity I use the word blogger below to be freely substitutable by any of these.

Note: I am not a lawyer and this is not a legal opinion, it is an expression of my personal understanding.

The Burden of Accountability. Imaged owned by and used under permission from Firoze Shakir. http://www.flickr.com/photos/firozeshakir/3309041065/

Is a blogger accountable for the online content including those made by others on the site ?

The Hindu offered a brief summary of the underlying issue in the case as follows.

Ajith D, a Kerala-based computer student had approached the apex court for quashing of the criminal case registered against him at Thane Police Station for allegedly hurting public sentiment by starting an online community in Orkut with an intention to launch an anti-Shiva Sena campaign.

I think this verdict does go to some extent towards suggesting that he does though I am not sure if it is a blanket conclusion one can draw at this stage. The court in its comments said :

You should not have indulged in such activity. You are a student of IT. You are doing something on internet and you should know about it.

This is a clear and unambiguous message which suggests that the constitutional rights do not cover a netizen from a responsibility to face any charges that may crop up as a result of any of his / her online expressions or facilitation of other’s online expressions. In this case many of the offensive comments were made by anonymous contributors and not by defendant himself. Thus such a person cannot shy away from having to face charges and defend himself even when the vehicle of expression he provides is used by others to express themselves.

Thats like holding the public transportation and public telephony organisations responsible since their offerings were used to conduct an activity that is now under criminal investigation. That obviously does not make sense. But allow me to introduce a hypothetical premise here. What if the public transportation and public telephony organisations used their discretion from time to time to decide who can use their services and who can’t, and what if they knew the the broad intentions of the user in using their services (either upfront or post facto). Would they now have a responsibility in this case ? That does make the situation a bit cloudy.

The equivalent situation in this case is when an online forum / site / group / blog is moderated. I am also going to assume for a moment (since I don’t know the facts) that the said orkut group allowed the group maintainer to moderate the content and the group maintainer might have used his privileges to say knock off spam on the group. This would imply that all expressions are not automatic and hence there is perhaps a case for the court to have made the moderator responsible to face charges for all the content in the group. However I would find it a little surprising if the group maintainer did not have any privileges to moderate the content or exercise his right to do so.

Should the blogger be required to face charges in any jurisdiction ?

While terribly inconvenient and perhaps with a lot of nuisance potential, the court opined very very clearly.

If a case is filed in a foreign country go and face it. You should know what you are doing on internet.

This is going to be really an issue for a lot of bloggers. In traditional (non internet) offerings, the service provider often has some kind of presence in the places where his services are consumed. Not so in the case of internet. You can reach the world without leaving your house. Also traditional service provision, requires some infrastructure or facilities investment or leasing, not so in case of blogging. The blogger often may have limited access to resources, may often have no revenues whatsoever. Yet he could be made responsible to defend himself in the furthest corners of the world. So herein lies the issue – Given the potential minimal resources and perhaps no revenue at his disposal, the blogger may have to face charges from any corner of the globe. The resultant investment in time and money alone may now seem like a punishment even if the blogger was to be eventually successful in defending himself in a court.

While the internet has delivered asymmetric capabilities to the blogger (maximum reach at minimum cost), the legal infrastructure has placed him at the receiving end of that asymmetry (maximum potential costs of defending himself while working off minimal / zero revenues). There is something clearly uncomfortable about this but I am not sure whats the right solution.

An interesting angle that will need to be looked at here is also the implication for internet based individual or small company commercial services (which often operate on a rather shoestring budget and headcount). Would this opinion lead to a negative business climate for such offerings ? Coule it be detrimental to their offerings, since often the primary commodity they deal in is information, precisely the currency whose use could expose them to (threats of) legal action.

I do think this is an issue which will perhaps need a different resolution in times to come. And especially since the Supreme Court has already weighed in on the issue, it might be the time for legislature to take a look at its implications especially by considering its implications on the business climate of small internet services as well.

Is this an attack on freedom of expression ?

In this case the charges are criminal in nature and seem to be stemming off a death threat. These expressions if made orally would’ve made the person who made such an expression equally inconvenienced, and I cannot imagine why online expression should be granted any more freedom or privileges than oral expressions. If at all, online expressions because of their reach and ability to persist, need to have more accountability. So confusing this with freedom of expression and speech is just being plain facetious. So in my opinion the answer is NO.

However the case does raise interesting possibilities about non threatening or non criminal charges. How would the Supreme Court opine in such a situation. Well we wouldn’t know until such a case reached them, but let us for a moment assume that the opinion continued to be similar. Even in such a hypothetical situation, I believe it would still not impinge on freedom of expression. All that the court has said is that one cannot escape from being accountable for expressions and thus present themselves to defend themselves. Thats perfectly reasonable. However it could indirectly hurt freedom of expression due to the burden it places in terms of defense. Defending oneself in a remote state can be an act of punishment itself which could dilute the very strengths the constitutional rights sought to promote. That part does worry me.

So what can be done about it ?
For starters I think the legislature while continuing to make people accountable for their expressions should pursue mechanisms by which the cost of implementing such accountability could be reduced. How that could be done is beyond my capabilities and understanding of the legal system. Moreover the judiciary could in the cases it handles, continue to be very proactive in ensuring that the freedom of expression is strongly defended in the cases that come to it for redressal. It should also figure out a way to deal strongly and with penalties on any frivolous use of force to clamp down on expression.

Update : I am surprised with myself for having forgot this recent tweet of mine (post the NDTV / Chaitanya kunte episode). Quite simply it says :

   Right to express is inalienable from accountability of expression. Civil liberties are strengthened by responsible civility