Rex Shoyama is a Visiting Professor and the Assistant Director of IP Osgoode.

The general presumption in the Web 2.0 world is that a greater level of sharing and interoperability is a better thing.  However, the method in which this sharing is attained should not be ignored as it can have significant legal ramifications.  Rushing to tear down the “walled gardens” between social networks without careful thought to product development can present great stumbling blocks later. 

For example, Power.com is a site that allows its users to interconnect easily and manage all of its social networks (e.g. Facebook, Myspace, Orkut, etc.) from one place.  The service allows users to keep all of its different social network accounts synchronized.  For example, if you use Power.com to update your profile on Facebook, your Myspace account will automatically be updated.  Power.com also allows content and messages to be easily moved from one network to another.

Unfortunately, the way in which Power.com provided this service has upset Facebook, resulting in a recent lawsuit.  At the heart of the dispute was the fact that Power.com was soliciting (and storing) Facebook users’ login information and passwords in order to provide its aggregation services.

After the complaint was filed in the US District Court in San Jose, (a PDF copy is available on the New York Times website here), Power.com subsequently removed Facebook related features from its service and posted a notice on its home page stating that it would be changing its implementation to instead use Facebook Connect (Facebook’s preferred method for applications interfacing with Facebook).  The notice also states that “Power.com is focused on providing value added services to social network users and it is not necessary for us to store the users name and password if a site prefers that we don’t.” 

While it appears that this dispute will be settled fairly soon, there are still a few interesting things to consider about this complaint.  The complaint alleges (among other things including copyright and trademark infringement) unauthorized access in violation of the Computer Fraud and Abuse Act due to a violation of Facebook’s terms of service (TOS).  Given the result in the recent and widely reported Lori Drew case, it appears that a very broad reading of “unauthorized access” may apply.

For their part, Power.com appears to have taken the view that their own services act akin to a web browser, and that Power.com is simply acting as a facilitator for users who wish to access data that is already accessible to them on their various social networks.  Some people who are critical of Facebook’s position also feel that the users “own” the data in their profiles and therefore should not be stopped from using a service like Power.com.

While the question of who has “ownership” over social network profile data is debatable, there certainly appears to be a clear violation of Facebook’s TOS in this case.  Facebook’s TOS clearly state that users must not “use automated scripts to collect information from or otherwise interact with the Service or the Site”.  There are legitimate reasons for companies such as Facebook to want to avoid allowing the scraping of content through automated means.  In fact, when it comes to freely sharing information across websites, the reality is that there has been (and continues to be) an “an awkward dance going on, an unregulated give-and-take of information for which the rules are still being worked out”.  Many of these content scraping practices have been allowed due to business norms (where they likely would be violations of the terms of service of the sites, from a strict legal perspective). 

It may be the security and privacy implications of what Power.com was doing that was most troubling.  While it is debatable whether these issues were Facebook’s primary reason for ultimately bringing a lawsuit, Power.com’s collection of all the login information for all of a user’s social network sites does not seem like a good idea from a security viewpoint and is “sketchy” as one commentator put it. 

While some have criticized Facebook as being heavy-handed, in these circumstances it would not be prudent for Facebook to simply ignore how other third parties are accessing their users’ data.  Maintaining trust with their users is paramount to their business. Furthermore, the company has already recently faced a great deal of criticism for its privacy practices (for example, the Canadian Internet Policy and Public Interest Clinic filed a complaint against Facebook under Canadian Federal privacy legislation in May 2008).  

Finally, we may not want to assume that full scale, unabashed sharing between social networks is desirable for all users.  We may want to query whether or not the ability to easily copy content from a friend’s profile in Facebook into other different social networks is necessarily a good thing (that particular friend may have made assumptions about how his Facebook content would be used and might not want his Facebook photos shared outside of Facebook).  Ultimately, it seems prudent to encourage the taking of measured steps towards finding better ways to achieve desirable interoperability between social networks, rather than jumping right over the “walled gardens”.  This will help ensure that more users have informed choices and understand where their information may end up and how it may be used.

Posted in General, Privacy, Technology