TwitterFacebookEmailRSS

The Facebook Novel (That No One Will Read)

A good lawyer will tell you, “Never sign anything that you haven’t read or don’t understand.”  The same goes for accepting online agreements. But even in the face of so much sound advice, personal experience and anecdotal evidence suggest that reading the whole contract is batting well below the “Mendoza Line.”  You, however, are a diligent, meticulous, go-getter that always sweats the contract details, devouring the whole document for the smallest of minutia – right?  But what if that document includes links?  Do you read the links?  Are they incorporated into the parent agreement “by reference?”[1]  What if there are a lot of links?  What if the links contain links?  Enter Facebook’s newly updated terms, policies & “Privacy Basics”:

As you might’ve heard, on January 30th Facebook will be rolling out new language for their Statement of Rights and Responsibilities, Data Policy and Cookies Policy.  The opening paragraphs of Facebook’s initial announcement link to an explanatory privacy tool and 3 separate policies to be updated.  I won’t even attempt to form a legal opinion about what’s incorporated by reference in these updates and what isn’t.  Instead I wanted to figure out, as a techie lawyer, how much documentation and legalese does one have to consume to wrap their head around their rights and responsibilities as one of Facebook’s 1.35 billion active users.  The initial announcement alone included 14 unique links – to do this correctly, clearly I was going to need some terms and guidelines of my own.

“Supersizing” Facebook’s New T’s & C’s

Morgan Spurlock’s “Super Size Me” kept popping to mind.  In his 2004 documentary [2] Spurlock eats nothing but McDonald’s, 3 full meals a day, for a month and documents the results.  He lays out a few ground rules for the experiment but there was one that seemed relevant:  If the person taking the order asks if he’d like to “super size” the meal he’d say yes.  My analog was, “If the referenced document includes a link, I will click on that link as well.”  Unfortunately, the Facebook policy ecosystem is a wee bit more complex than the McDonald’s menu board, so this was going to require a few additional conditions to keep the results relevant & manageable.  My rules for a link to be included in the relevant Facebook T’s & C’s:

  • Only pages reached by following downstream links of the Facebook updated terms & policies announcement are in scope.
  • The linked content is related to privacy, security, rights and/or responsibilities.
  • The linked content is in the main context of the linked page (not the menu, template, banners, style sheets, peripheral web assets, etc.)
  • The content is applicable to users in the U.S., and not just users of a specific state.
  • Settings, configurations and purely technical information are not included unless they are related to managing or understanding some aspect of privacy, security, rights and/or responsibilities.
  • Links to external domains may be considered relevant and included, but no other links from those external domains can be clicked (“1 outside click” rule.)

Sounds like I’m considering a lot of content “out of bounds”, doesn’t it?  Again, I’d just like to restate the objective here:  If we assume incorporation by reference, starting with the Terms & Policy Update Announcement and using only clicks on relevant provided links, how much reading is involved in grasping everything Facebook wants you to know about terms, conditions, rights and responsibilities?

Any guesses?  In terms of links?  Unique documents?  Pages?  Words?  Last chance to formulate a guess…

Hint:  My link tree just for organizing this project was 26 pages and nearly 4,500 words long (with each URL being interpreted as only one word, mind you.)

STATISTICS : [3]

  • 358 total links
  • 118 “unique” links
  • 5 external links
  • 2 instances of the “Privacy Dino
  • 2 broken links
  • 1 additional set of terms that you’d need to accept to use Custom Audiences features.
  • The total, nonduplicative text of these 118 unique pages comprises:  67,401 words
  • Or a 164 page standard format Word document

WHAT I LEARNED READING THE FULL TEXT OF THE FACEBOOK TERMS & POLICY UPDATES:

  • If it were a book, this text of the T’s & C’s would be longer thanTreasure Island, The Color Purple, The Scarlet Letter, All Quiet on the Western Front or Lord of the Flies
  • One of the closest books in terms of word count is John Green’s “The Fault in Our Stars” , and while I have been neglecting the adolescent romance titles of late, I can’t say for certain which text I would rather have been reading this past weekend. [4]
  • A good portion of the privacy content is geared at privacy with respect to other users, while that is important and the Facebook internal mechanisms aren’t completely opaque there are still a lot of questions about what goes on with our data under the covers and with Facebook’s partners.
  • This link allows you to opt out from online behavioral advertising campaigns with over 100 companies.
  • Of the 118 unique links visited, this is the only one that actually underlines (potentially legally incorporated by reference) links and doesn’t force you to squint for the nearly indiscernible dark blue link text as opposed to the regular black font.
  • The Facebook Principles are pretty good stuff.
  • Really want to trigger your “Privacy Spidey Sense?”  Check out your Facebook metadata.
  • These Facebook Companies links lead to 10 other Facebook subsidiaries with “privacy” in the URL.  The majority of these companies have their own privacy link tree and are not using these terms & conditions.
  • Facebook Payments, while not a separate company per se, also has its own privacy policy.
  • Facebook has a lot of products and services (e.g. Mobile, Messenger, Paper, etc.) in the Facebook ecosystem.  Regarding those services:  “in some cases, products and services that we offer have their own separate privacy policies and terms.”
  • So, 67,000 words (or one “Fault in Our Stars”) later, if something is designated as a “service” (like whether I’m using the mobile app or the messaging function) then none of this may apply???

But perhaps the most interesting link, in my opinion, is the page for “How can I report a legal violation of my rights other than copyright or trademark rights?”  This link will net you 64 total words asking you to write out the reason you’re writing, the right you believe was infringed, and your legal basis for claiming the right.  And that’s just it – we probably need 67,000 word Terms & Conditions frameworks because we live in a litigious, open society that has done little to define rights and expectations around data, identities, and identity attributes beyond the monetization of those elements under Intellectual Property law.  There is a presumptive expectation that because someone built these online services and you avail yourself of those services, that any data gathered, actions tracked and correlations realized are the sweat equity and the work product of the service.  But after another look at your Facebook Metadata, is there a question about whether the value lies in the service or is inherently an inextricable part of the individuals using it?

Let’s be clear, this is not intended as an indictment or a defense of Facebook. I appreciate the ecosystem of people and interactions Facebook provides.  Their policy update was worth exploring because of the number of users and the nature of the data involved.  But the core issue that forces a company to draft a 67,000 word terms framework in the first place is not unique to Facebook.  We have a critical mass of personal information, growing and expanding avenues of intended and unintended exposure of that information, and next to no substantive guidelines steering our expectations, responsibilities and duties in handling it.  We must set out to create those guidelines – or am I the only person who feels it’s just as unreasonable to maintain an environment where every online company drafts a 67,000 word policy structure as it is to expect every user to read it?


[1] Because every reputable explanation of a legal concept includes a Wikipedia link.

[2] And potential Jim Gaffigan dream sequence.

[3] Now might be the right time to point out that I made my best effort to catch every link, document meticulously, keep all included links relevant and have no duplicative material. I don’t believe I made any mistakes in capturing this material but I would not be surprised in the least if mistakes were made. Further, “relevant to privacy, security, rights and/or responsibilities” is a subjective concept (especially in regard to technical controls, interface settings, and configurations). Rational thinking people may have differing opinions as to whether I was too restrictive or lenient in my inclusions. Regardless, given my guidelines, I am very comfortable with these figures.

[4] Or as one friend informed me, “A maudlin nonsense piece about a girl with cancer whose love for her boyfriend doesn’t cure cancer.”

Leave a Reply

Your email address will not be published. Required fields are marked *