It is past time to start awarding prodigious damages against corporations who egregiously and willfully write unlawful provisions into their terms of use, consumer contracts, etc. etc.
Parsing and correctly interpreting pages upon pages of legalese presents an undue burden on a well functioning market economy. Corporations can slip clauses into agreements that can give them vast power over their customers who do not understand the full ramifications of what they are agreeing to. There is very little cost involved to the corporation that tries to get away with this. There is a very great cost to our society in tying up our court systems with stupid crap such as this.
The only solution is to make the cost of writing illegal provisions into contracts greater to the perpetrator than the potential reward. I know there will be unintended consequences to what I propose. But surely there must be a way to send a stronger signal to corporations who willfully push legal boundaries and seek to obfuscate exactly what it is that consumers are agreeing to?
Unlawful provisions aren't the only problem; what about selective enforcement?
When everyone is a lawbreaker selective enforcement gives law enforcement tremendous power beyond what's written in the law. A similar situation applies to contracts, and contracts for software and services are so impenetrable these days that you're bound to be violating something or other just in everyday use.
There are historical reasons for these provisions though.
Take, for example, the standard UK limitation of liability cut-and-paste block. (About half a page.)
It's that long because there is case history on each point suggesting that if you don't enumerate each of those the conditions separately then you may get nailed for it. And every time there's a new test case that isn't quite covered, the list gets longer.
The only way to correct that kind of mess is through legislation. And there are so many examples of that kind of crufty-for-a-good-reason language that the patchwork would take years to unravel and have many unexpected consequences (not to mention lots of uncertainty until five hundred years of new case law was established).
There are people working on this kind of thing (for example the new companies act, which makes incorporation documents much simpler and removes some of the 'peppercorn and two groats must be thrice weekly burned over a blue flame' anachronisms) but it takes time.
One relatively simple way to do this might be to pass legislation saying that the terms and conditions can only be up to a maximum number of words which must be from a standard dictionary, with no links or supplemental articles permitted. This would encourage companies to be concise with their ToS, and discourage the use of "hidden clauses".
You give us the right to publish your data and you don't have access to
anything else other than what the Facebook UI and APIs provide.
There, problem solved. Of course, writing this in legalese isn't so straightforward ... otherwise legions of lawyers and judges would be jobless. And they wouldn't be able to ban crawlers, other than search-engines ... and where's the fun in that?
I can't believe that Facebook is attempting to go after people through criminal law, rather than civil law.
Wasn't the CTO of Facebook just saying less than a week ago that : "users have complete control over their data, and as long as [the] user gives an application explicit consent, Facebook doesn't get in the way of the user using their data in your applications beyond basic protections like selling data to ad networks and other sleazy data collectors?" [1]
As good web citizens we honor robots.txt, but these frivolous lawsuits make me think we shouldn't form a US corporation just to leave a much higher barrier to suing us. Which incidentally means no YC for us.
So they expect what? A sort of proxy for the legislative process? Laws selected by the legislative branch of our representative government ooorr anything we happen to put in our TOS. Same diff.
So I'm an old guy who is hard of hearing and stubborn. But I'm also a programmer.
Being who I am, I write a bot that scans my FB profile and checks for birthdays in the family. If one is approaching, it flashes a light, yells at me, and calls me names until I buy a present.
According to FB, I'm a thief, no?
What if I'm a blind guy who made his own browser-helper because the standard tools don't work so well for me? Or I wrote a special FB access device that helps people with ADHD? Or I just like the color blue and want to see everything in the world in blue? Or what if i just write my automation on top of a standard browser that highlights any text that has my friends' names and downloads the surrounding paragraph to my desktop. Just because? Seemed like fun? What if I filmed myself (or a trained monkey) accessing my Facebook account? What if I took the film and extracted data from it?
I would argue that I am accessing FaceBook via HTTP and GET and POSTS. I use standard nomenclature and the standard stack from the O/S outward. Anything beyond that is none of their damn business. (Not trying to play to the crowd, but this is preposterous. The entire purpose of HTML is to separate the data from the way we access it)
Yes, you are are a criminal (not necessarily a thief), according to facebooks terms of service.
Of course, facebook would not prosecute you, but this is not the point. Facebook has been going after services that make it easier to delete your account, or move information to another service. This is what FB does not like.
Of course, what they are doing is completely disgusting, but facebook seems to be able to do whatever they want, and their users do not mind, as long as they don't change the profile screen too much. Then there is an uproar.
By the normal sense of the law up till now, you are not a criminal if one party in a contract considers you in violation of the contract. It has been a civil matter. Even the RIAA has had to sue people in civil court rather than being able to prosecute in criminal court. A criminal violates criminal law. Let's get clear on the concept, especial with Facebook trying to stretch it.
Yes. Even assuming FB is correct, they would then have to create a list of which browsers they consider "non-automating". Would GreaseMonkey installed on FF count? How about some VBA on top of IE? If I travel outside of net range and my browser caches up lots of FB pages overnight, does that count? Beats me. We'd all have to use pre-approved tools to access our FB accounts -- or face criminal prosecution.
It's not just that it is non-intuitive. Lots of legal things are non-intuitive. It's not even that it completely breaks the idea of HTML, even though that's pretty huge. It's not even that somehow by using FB I have given up my right to purchase and use my own equipment to browse the web, thereby limiting competition, although that is huge also. FB is actually trying to reserve the right to criminally prosecute me unless I use tools that are on a list that they preselect, and presumably update. So, logically, the first thing I'd like to do is see this list and find out how it is created and updated.
The entire purpose of software in this setting is to automate the retrieval and display of HTML based on my particular preferences, and in the time and configuration of my choosing. That's the way the web has worked ever since there was a web. That's why the the web is structured the way it is. That's why the web can continue to expand and grow.
I'm growing tired of attorneys on fishing expeditions.
No so many years ago people argued that an online web server is an open invitation for anybody.
Now if you have a link you can't use it because of TOS? Is this enforceable? How do you get the TOS? You download the link to it? Man, what if you used "automated means" to download the TOS does it count as a breach of rules - which you didn't know before the download? Are you punishable for this?
I normally like to play devil's advocate, but in this case I simply can't come up with a decent argument to justify Facebook's position that they "own" your data. They can own the expression of your data on a Facebook page, but they can't own the data itself.
That's my understanding at least - am I in the wrong here?
This isn't about data ownership but about computer ownership. If you're going to access Facebook's servers, then you need to do so in a way that complies with Facebook's rules. Power Ventures ignored robots.txt, and circumvented an IP address block. In concept, this is no different than bypassing the password of a password protected web site.
Circumventing access controls should not be illegal. The DMCA has shown us why this is a bad idea. If circumventing access controls leads to a real crime, then prosecute that crime instead.
For an analogy to the real world, think about lockpicking. Lockpicking should be legal. Picking locks isn't the real crime; it's theft, trespassing, destruction of property, etc. that we should prosecute.
In this case users authorized Power Ventures to access their Facebook accounts (in exactly the same way users authorize Facebook to access their GMail/Hotmail/etc. accounts), so no actual crime was committed after circumventing the access controls.
I'm not sure why ignoring robots.txt or an IP block would violate criminal statutes. I'm not even sure why circumvention would violate civil statutes. Obeying robots.txt is common courtesy. For IP blocks /and/ people that ignore robots.txt, I have years of logs I'd like to turn over to the proper authorities.
While I understand you are playing devil's advocate, I think one problem they would have is that they'd have to prove that Power Ventures is doing this themselves, which they aren't. One argument could be that power ventures built the application, and users of Facebook are in fact utilizing the software to perform these actions. If Facebook were to approach anyone, it would be the users of the software.
I think that argument holds as much water as Facebook's, if not more so.
One would hope not, but law and common sense can diverge.
The devil's advocate argument is that you don't own the data, you uploaded it to Facebook to use in a limited capacity (e.g. they're not allowed to just broadcast it to the world without your permission or unless they trick you into exposing it with weird 'privacy' options).
To use their service, which happens to use data you gave them willingly, you need to access their server in a manner they are happy with. And they are claiming that using a third party option to access it is forbidden. This is perfectly normal.
In essence this is the EFF trying to establish some ground in a new field. It's nowhere near as cut and dry as they present it, you had the choice to never upload that data in the first place. It's not a safety deposit box where you own the contents, it's a online social site that you chose to use and provide some data in order to be able to use it.
I've got no legal expertise, but that would be my first attempt as a devil's advocate.
But if you don't access it in a manner they are happy with, and thus violate the agreement to use Facebook, then shouldn't Facebook then terminate the agreement and its obligation to service you (aka, delete your account)? Of course facebook does not want to do that, so it seems like using criminal law to enforce their will is a bit unfair.
It's not a safety deposit box where you own the contents, it's a online social site that you chose to use and provide some data in order to be able to use it.
But the natural way people think about their personal information is that they own it. This needs to be codified into law. Perhaps activism along these lines is one of the most important things we should be doing as citizens of a digital age?
That's not Facebook's argument. Their argument is that a contract exists with their user. In that contract, the user agreed not to use 'automated' means of access.
Then, when the user has Power perform automated access, Facebook claims that a criminal law violation has occurred, because that's unauthorized access under their terms. They want that to be treated just like other California Penal Code unauthorized access -- access like exploiting a bug or stealing someone's password to view or change info never intended for you.
EFF says only a contractual violation has occurred; violating some arbitrary company-chosen 'terms of use' shouldn't be enough to trigger criminal enforcement.
It's an interesting and difficult distinction. So many of these systems and terms are defined by the arbitrary choices of coders and lawyers. At one level of abstraction, it's against the will of the system provider -- Facebook -- so it could be seen like a break-in.
But at another level, it's just a contract, and Facebook has other contract-enforcement options short of criminal prosecution: cancel the account, sue for actual damages, and so forth. If Facebook can define what's a 'crime' via arbitrary clickthrough terms, suddenly users and Power staff could wind up in jail for a terms-of-use violation that had no other economic damages.
"They want that to be treated just like other California Penal Code unauthorized access -- access like exploiting a bug or stealing someone's password to view or change info never intended for you."
Things have been stark raving mad since the Digital Millenium craziness act. Just like the software patent scene has been starkers since Amazon One-Click.
In most jurisdictions, I think in even when a sign like that's posted, you do at least have to ask the offender to leave before you can call the cops. If they walk into your restaurant without a shirt, you ask them to leave, and they refuse, then they're guilty of trespassing. But if they do leave when asked, you can't go ahead and press charges.
I believe an exception is if you've posted "NO TRESPASSING" signs, making it clear that it's private property to which all entry is prohibited. But if you've invited the general public in subject to conditions, and someone violates a condition, they haven't yet committed a crime, unless they also refuse to leave when you try to eject them.
In Facebook's case, I'd say they've invited the general public to use their service, subject to some conditions, and so no law should be involved unless they've specifically asked the person involved to stop using their service and the person continues anyway.
You will not collect users' content or information, or otherwise access Facebook, using automated means (such as harvesting bots, robots, spiders, or scrapers) without our permission.
So Facebook can give permission, and clearly have given permission via some interfaces.
If Power could have done everything they wanted to do via the official developer APIs, no doubt the case would be different.
Power continued even after Facebook asked them to stop (and further tried to block Power's IPs) -- so at least some of the access occurred when permission, if any, was clearly not given.
But is that a crime? Or a contractual violation or tort?
The idea is that there is "unauthorized access" to Facebook's computers, that is, the user accessed Facebook's systems in some way that Facebook didn't like. Facebook wants absolute jurisdiction over who and what can see information stored on their servers and they want the civil justice system to enforce this will on their behalf after-the-fact.
Under Facebook's claims, people could get arrested for something as small as using a browser or operating system that Facebook didn't like. If this idea is accepted, then Facebook can pretty much say anything and if you violate that thing and then access Facebook, Facebook would seek criminal penalties for your violation. For instance, if Facebook says "no person that doesn't own a pair of Nikes can access Facebook, under our new Nike sponsorship deal", and someone who doesn't own Nikes still accesses Facebook, Facebook would consider this "unauthorized access" and get mad. Or, if Facebook decides it doesn't like born in Florida, and they write "No one born in Florida may access Facebook", and you still access Facebook after being born in Florida, Facebook will try to get the police to come and arrest you.
Open Graph API is not unauthorized access because Facebook allows people to use it.
Under Facebook's claims, people could get arrested for something as small as using a browser or operating system that Facebook didn't like.
Under Facebook's terms, you could retrieve some Facebook pages from your cache, write a parser to parse your data and use it to harvest your data to a CSV file, and even this would be a violation.
I would say that it ceased to be "your" data once you typed it into facebook. Common sense should say that anything you send to a remote server is no longer under your control. I don't understand what the other side of this issue is.
If you keep data on your local machine and facebook comes and takes it from you, that's a problem. But if you voluntarily send it to them, then they're going to do whatever they want with it. How else would you expect it to work?
> I would say that it ceased to be "your" data once you
> typed it into facebook. Common sense should say that
> anything you send to a remote server is no longer under
> your control. I don't understand what the other side
> of this issue is.
It is your data under the law. Sure you may have handed it to someone else, but to say it is no longer your data just because it was handed to Facebook is like saying that you no longer have a Social Security Number when you provide it on a form to a bank (for example) or that when you are the victim of identity theft that you literally no longer have an identity.
Now, one should probably act as if handing their data to one person was like handing it to the world, but there are obviously limits. If I purchase hosting from a company and host my data 'myself,' does my data now belong to the hosting company?
> If you keep data on your local machine and facebook comes
> and takes it from you, that's a problem. But if you
> voluntarily send it to them, then they're going to do
> whatever they want with it. How else would you expect it
> to work?
The basis for your entire argument seems to be: "If you trust people, you shouldn't be surprised if they in turn stab you in the back." While possibly true, society would be non-functional if everyone were like that.
They control the data access but if they dump it to HTML and send it back to me then I can do whatever I want with that HTML.
All we're asking is for symmetry. If I send them data, they can do whatever they want with it inside the law, their ToS and privacy policy. If they send me data (even the data I previously sent them), I can do whatever I want with it inside the law.
Please, somebody, create a facebook competitor! Don't wait for Diaspora; I don't think their idea will work for the average user. This market desperately needs competition!
Facebook only works because everyone is on the same site.
A competitor would never gain enough traction to reach critical mass (defined as when the average person has an account on both) without some help from facebook in the form of a stupid business decision. Or if they managed to think of some killer feature.
But simply a copy will never work.
And BTW, the main reason you hate facebook is because they are big. So adding a competitor will not help you - eventually they will get big too, and you will hate them as well.
No, the main reason we hate facebook is because they are trying to press criminal charges on a company. Also, they keep changing what data they make accessable publicly, without warning, and have a ridiculous system of letting you chnage what is private/public.
In one sense - facebook becomes a natural monopoly. Back in say 2007/8 I had to log in to both facebook and myspace to see what my friends were up to. Now I just have to use facebook. That is much simpler and easier for me as a user.
That is the way facebook wants it to be but that could change. For now, you must log on to their service, see their ads and be exposed to their new mesmerizing features in order to connect to your facebook friends. The goal of this lawsuit is for applications like Power to be allowed to let users not need to log on to the facebook website to do this.
Maybe now, but a new competitor could do two things:
Be better in some way than facebook (not selling users private information would be an easy one)
Make it so that you could see what you friends were upto on facebook, but without being a user yourself.
Suddenly you cracked the chicken and egg problem, which is exactly why facebook goes after this with the force of the law.
A monopoly based on technology never lasts, but if you can build one on some kind of legal issue, you are golden.
I don't think they've entirely thought it through, but I understand they're working with open standards and talking to other similar projects. I think eventually some standards-based distributed alternative will come together, although I think a lot of people are going to be disappointed when Diaspora launches.
Well, you could probably get 30,000 people from quitfacebookday.com as a start. And if you are a viable competitor to facebook, you would probably get some good, free media coverage. If your product is good I don't think it would be hard to get your first million users. There are plenty of people dissatisfied enough with facebook to at least give a competitor a try.
And the marketing would be easy, as facebook isn't branded as the nice guy, but as the jerk.
What I miss is some website where I can choose who gets to read what I write: this post is for everbody, this is only for my family, this is for my work mates, this is for the general public, this is for my brother.
The advantage of this would be that you could move groups over one at a time (since they would get some benefit from it, people would want to use it) and it is something facebook can't do and don't want to.
> What I miss is some website where I can choose who gets to read what I write: this post is for everbody, this is only for my family, this is for my work mates, this is for the general public, this is for my brother.
If an application can see some data that wasn't shared with me, then I agree that's a pretty big problem. That an application I give access to see my data can see, well, my data, isn't a problem in my view.
Once your information is in Bobs hands, what he does with it is out of your control. Even if we consider a network that doesn't allow apps, what if Bob downloads SleazoCo Birthday Reminder (comes build-in with your Bonzi Buddy) that scrapes your birthday from the site? At least Facebooks terms forbids app-producers to save anything about users for more than absolutely needed, and SleazoCo can theoretically be banned from making FB apps if caught in violation of this.
Unless we're willing to consider DRM for social networks, this won't change with Diaspora or any other kind of software that puts your birthday on Bobs computer in any kind of standardized format.
Have you read You Are Not a Gadget by Jaron Lanier? I think you might like it. There is an entire section devoted to exactly what you just said, and how facebook essentially "removes the individuality" from its users.
At the same time he makes huge mental leaps that I completely disagree with (he said basically the same thing about open source/open culture) but there are several gems in the book.
How about a business opportunity? Modify an open source browser so that it lets someone navigate a website without being able to read anything on it or look at any pictures. Set up a Mechanical Turk style application that lets workers execute browsing sessions using the modified browser via VNC. The modified browser will save off all of the pages, which can then be parsed for information. The server will match up retrieved information with particular users. No worker will ever see any actual user data.
I guess that this relates in some way to cases where newspapers complain about companies like Google indexing their sites and effectively repackaging their news stories - and where violating terms of service (civil issue) crosses into unauthorised access (criminal issue).
It all comes down to what precisely am I allowed to do with a publicly available web page? I'm allowed to use a web browser to access it (presumably), but when does something stop being a web browser and start being an automated tool? I'm not familiar with the tool in question here, but could it be argued that in some ways it's no different than a web browser that pre-fetches linked content?
"Collecting Facebook usernames and passwords is at the heart of the dispute. Power.com impersonates a Facebook user after collecting their username and password."
I would still side with power BUT a TOS that says "you can't give your password to third parties" is a bit different from "you can't use any automated processes at all".
a) They are going after the third party, not the people that gave them their passwords, and
b) I believe Facebook also harvest passwords for other sites (hotmail etc)
c) In practice, there's not much difference between "Nobody can create a service that uses user's passwords to automate their Facebook access" and "You can't use any automated processes to access Facebook".
Parsing and correctly interpreting pages upon pages of legalese presents an undue burden on a well functioning market economy. Corporations can slip clauses into agreements that can give them vast power over their customers who do not understand the full ramifications of what they are agreeing to. There is very little cost involved to the corporation that tries to get away with this. There is a very great cost to our society in tying up our court systems with stupid crap such as this.
The only solution is to make the cost of writing illegal provisions into contracts greater to the perpetrator than the potential reward. I know there will be unintended consequences to what I propose. But surely there must be a way to send a stronger signal to corporations who willfully push legal boundaries and seek to obfuscate exactly what it is that consumers are agreeing to?