Who owns the data you create on Facebook? Who owns your profile information, your photos, your notes? I’ve asked this of many people, and the response is always the same: “I do!” It’s hard to even refer to such content without recognizing the perceived ownership of it. “Your data.” “User data.” I’d have to resort to uncomfortable contortions to avoid that language.
Facebook management seems to agree with this view. On an NBC round table interview, Facebook Chief Privacy Officer Chris Kelly was asked by the host, point blank, “does Facebook own my pictures, my poetry, my messages… yes or no?” Kelly’s response: “Absolutely not.”
That seemed to satisfy reporter Sarah Lacy, who accused the Consumerist blog of having “cooked up” the scandal over ownership of data on Facebook. But if you resist the calming spell of Facebook’s PR machine and actually look at their terms of service, a different picture emerges.
Imagine, if you will, that Facebook is a “bank” of content and social information. According to Facebook, I own the data I create within Facebook. What happens if I want to withdraw my data from Facebook and deposit it elsewhere? Facebook Connect sounds like just the ticket! According to their site, Facebook Connect allows me to ‘Seamlessly “connect” [my] Facebook account and information with [a third party] site.’
So what can I export? Here is what their Developer Terms of Service allows (in this case “you” means the third party developer — the competing “bank” if you will):
“Exportable Facebook Properties” means, as of any given time, any types of Facebook Properties that are expressly designated by Facebook at that time in the Facebook Platform Documentation and in the implementation of Facebook Platform as being “exportable” to Applications and Data Repositories operated by persons other than you. For the avoidance of doubt: (a) any types of Facebook Properties that are not expressly designated by Facebook in both the Facebook Platform Documentation and in the implementation of Facebook Platform as being “exportable” to such Applications and Data Repositories shall not be deemed Exportable Facebook Properties; and (b) Facebook reserves the right to revoke the designation of any types of Facebook Properties as being “Exportable Facebook Properties” at any time.
6) You may retain copies of Exportable Facebook Properties for such period of time (if any) as the Applicable Facebook User for such Exportable Facebook Properties may approve, if (and only if) such Applicable Facebook User expressly approves your doing so pursuant to an affirmative “opt-in” after receiving a prominent disclosure of (a) the uses you intend to make of such Exportable Facebook Properties, (b) the duration for which you will retain copies of such Exportable Facebook Properties and (c) any terms and conditions governing your use of such Exportable Facebook Properties (a “Full Disclosure Opt-In”);
Cool, so as long as a third party service gets my permission (opt-in) to export the Exportable Facebook Properties, that is allowed. So what properties are “Exportable Facebook Properties?”
Well, none. Not a single one. Nothing is exportable.
At this time, there are no exportable properties.
Data that is not exportable cannot be stored by services that utilize Facebook Connect, except for temporary performance-related caching purposes (up to 24 hours). If this were a bank, I’d only be able to spend my money within the bank itself. And when I protested, the bank would reply “we’re doing this for your privacy! We can’t be sure that a third party bank will protect your data’s privacy.”
It doesn’t matter what Chris Kelly says to the contrary. Their terms of service are binding — their PR spin is not.
Facebook’s definition of data ownership does not include the right to export that data. It’s “mine,” so long as I leave it under Facebook’s control.
In response to this latest flare-up over privacy and ownership of data, Facebook has posted a proposed set of “Facebook Principles.” Included with these principles is this:
They should have the freedom to share it with anyone they want and take it with them anywhere they want, including removing it from the Facebook Service. People should have the freedom to decide with whom they will share their information, and to set privacy controls to protect those choices. Those controls, however, are not capable of limiting how those who have received information may use it, particularly outside the Facebook Service.
This is a good step forward. Particularly helpful is the explicit admission that Facebook cannot offer both complete user ownership of data and complete user privacy of data. Once data leaves Facebook, they are powerless to control how it is used. That’s not something to fix, that’s a fact. Facebook can’t offer full ownership and centralized privacy controls. All they can do is protect the privacy of data when it exists in their system, and trust their users to make up their own mind about which third parties to trust with that same data.
The saying goes “if you love someone, you’ll let them go.” If Facebook wants a real relationship with its users based on trust, they need to be willing to let their users go.