Facebook is Out to Get Us. Or are They?

I’ve been following the general outcry in the blogosphere and on Twitter about the revision of Facebook’s Terms of Service on February 4, 2009.

And I’d like to say this in response, “Could everyone please get a grip for five minutes? You’re giving me a headache....”

But seriously, if you haven’t been following the controversy, here’s what’s happening. Facebook updated their Terms of Service at the beginning of February and removed some language from their License section.

The Consumerist covered it in an article entitled Facebook's New Terms Of Service: "We Can Do Anything We Want With Your Content. Forever."

In pertinent part, the article mentioned that the new Facebook Terms of Service reads as follows:

You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof.

The article goes on to state that, “That language is the same as in the old TOS, but there was an important couple of lines at the end of that section that have been removed:”

The lines in question are as follows:

You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content.

This set off a hailstorm across the web. The Twitterverse (Twitter universe) went absolutely batty. People fretted about the content that they’re uploading (or have uploaded to Facebook). They even, in some cases, threatened to stop using Facebook altogether.

And they’re not altogether wrong. Your only recourse to avoid the provisions is to stop using Facebook.

Except...

Hey, I write Terms of Service for a living. You need to understand that Terms of Service are really a game of chess with your users where the penalty is not losing a player when you do it wrong, it’s a lawsuit. When I first read the articles, my first thought was that their lawyer was trying to avoid lawsuits for mistakes that might be made by Facebook by continuing to publish information from users who have terminated their accounts. I’m always trying to come up with the best way to protect my clients from lawsuits.

And I’m gratified to know that I’m about right. Today, Facebook CEO Mark Zuckerberg posted an update on the Facebook blog to let everyone know what was intended by the changes in the Terms of Service. You can find his post here. It is entitled, “On Facebook, People Own and Control Their Information.”

So, everyone stand down and take a deep breath. Please.

Are you still worried? Here’s what I would suggest...

Don’t place any information (photos, articles, blogs, etc.) on Facebook that you wouldn’t like for Facebook to have a license on. Simply place it somewhere that you have control over, and put the link on your Facebook page. That way you can share it with your friends and Facebook doesn’t have any of your copyrighted “content” to exercise their license over. It’s really the safest way to go...

Someone's Stolen My Email Database! What Do I Do Now?!?

I had a frantic client call me this week (OK, that’s not true. He emailed me, but you get the idea).

He had just found out that his site was the victim of an attack. The attacker stole all of the email addresses kept in his database, both opted in and not opted in.

The attacker then proceeded to use a false header (that falsely indicated that he was my client) and sent an email to all of the email addresses that he had stolen. (No, I don’t know the sex of the attacker, but I’m calling the attacker “he” for convenience.)

Even worse, the attacker set up the email so that anyone replying to the email would automatically email everyone else on the list. Ouch!

So, what do you do if this happens to you?

The very first thing you do is to contact the Federal Bureau of Investigation (FBI) in your area and ask to speak to the Computer Crimes Division. You need to report the crime that has taken place. Make no mistake about it. This is criminal.

The next thing you do is that you compose an email to the entire list (both opted in and not opted in) explaining what has happened, the steps that you’re taking to rectify the problem and assuring them that the email was not from you and that they should ignore the email altogether.

You then need to contact the appropriate people to find out how the criminal broke in to your database. Right after that, you need to “plug the hole” and figure out a way to make your system more secure.

While you’re at it, you should seriously think about your privacy policy and data retention policies. Make sure you have them and that you’re following the guidelines for protection your customers’ information that you’ve set forth therein.

If you don’t have a privacy policy, get one. If you don’t have a data retention policy, draft one. If you don’t know what a data retention policy is and/or why you should have one, you can check out my guest blog here about data retention policies.

Well, what’s the worst that can happen, right?

You really want to know? I’m warning you, it’s not pretty.

Let me give you your nightmare scenario.…

You might think that the worst case scenario is that you’re caught by your ISP or even by the FTC for violations of the CAN-SPAM Act.

But that’s not it. Though I’d rather give myself a frontal lobotomy with a home kit than to deal with the FTC again...

The real nightmare scenario is that you had emails go into the State of California. You see, to the government or even to your ISP, it’s easy enough to prove what happened. It’ll cost you, but it can be done.

But, under California Business & Professions Code § 17529.5, the State of California gives a private right of action to consumers who receive unsolicited commercial emails with falsified header information. And it’s a $1,000 hit per email.

Let me say that again.

California residents who receive an email from what appears to be you with false header information can sue you in small claims court for $1,000 PER EMAIL. And what they have to prove to be successful is minimal. You have the burden of proving that you didn’t send or sanction the sending of the emails.

I'm not saying that you're actually liable. You're not. You could meet the burden of proving that you didn't send or authorize them, but it would be unbelievably costly to defend all of those suits. If they were filed in small claims courts all over California, you'd have to fly to each location and defend each one.

Well, couldn't you just ignore them then? What's the worst that could happen?

The worst that could happen if you didn't defend is that you could be found liable in all of those suits. And that adds up. Fast.

Let’s say that your database had only 10,000 email addresses that were stolen by your friendly, neighborhood criminal. And since there are 50 states, let’s assume that the email addresses were evenly distributed (which, of course, they’re not). So that makes 200 email addresses in California.

At $1,000 per email, that’s $200,000. What if you had 20,000 email addresses? Or 50,000? Or even 100,000?

Are you starting to see how this could really ruin your day?

Don’t let this happen to you. Make sure your databases are secure. Make sure all of your customer information is as secure as you can make it.

And if it does happen, do whatever you can to mitigate the damages.... Quickly!