March 19, 2024

Scoble/Facebook Incident: It's Not About Data Ownership

Last week Facebook canceled, and then reinstated, Robert Scoble’s account because he was using an automated script to export information about his Facebook friends to another service. The incident triggered a vigorous debate about who was in the right. Should Scoble be allowed to export this data from Facebook in the way he did? Should Facebook be allowed to control how the data is presented and used? What about the interests of Scoble’s friends?

An interesting meme kept popping up in this debate: the idea that somebody owns the data. Kara Swisher says the data belong to Scoble:

Thus, [Facebook] has zero interest in allowing people to escape easily if they want to, even though THE INFORMATION ON FACEBOOK IS THEIRS AND NOT FACEBOOK’S.

Sorry for the caps, but I wanted to be as clear as I could: All that information on Facebook is Robert Scoble’s. So, he should–even if he agreed to give away his rights to move it to use the service in the first place (he had no other choice if he wanted to join)–be allowed to move it wherever he wants.

Nick Carr disagrees, saying the data belong to Scoble’s friends:

Now, if you happen to be one of those “friends,” would you think of your name, email address, and birthday as being “Scoble’s data” or as being “my data.” If you’re smart, you’ll think of it as being “my data,” and you’ll be very nervous about the ability of someone to easily suck it out of Facebook’s database and move it into another database without your knowledge or permission. After all, if someone has your name, email address, and birthday, they pretty much have your identity – not just your online identity, but your real-world identity.

Scott Karp asks whether “Facebook actually own your data because you agreed to that ownership in the Terms of Service.” And Louis Gray titles his post “The Data Ownership Wars Are Heating Up”.

Where did we get this idea that facts about the world must be owned by somebody? Stop and consider that question for a minute, and you’ll see that ownership is a lousy way to think about this issue. In fact, much of the confusion we see stems from the unexamined assumption that the facts in question are owned.

It’s worth noting, too, that even today’s expansive intellectual property regimes don’t apply to the data at issue here. Facts aren’t copyrightable; there’s no trade secret here; and this information is outside the subject matter of patents and trademarks.

Once we give up the idea that the fact of Robert Scoble’s friendship with (say) Lee Aase, or the fact that that friendship has been memorialized on Facebook, has to be somebody’s exclusive property, we can see things more clearly. Scoble and Aase both have an interest in the facts of their Facebook-friendship and their real friendship (if any). Facebook has an interest in how its computer systems are used, but Scoble and Aase also have an interest in being able to access Facebook’s systems. Even you and I have an interest here, though probably not so strong as the others, in knowing whether Scoble and Aase are Facebook-friends.

How can all of these interests best be balanced in principle? What rights do Scoble, Aase, and Facebook have under existing law? What should public policy says about data access? All of these are difficult questions whose answers we should debate. Declaring these facts to be property doesn’t resolve the debate – all it does is rule out solutions that might turn out to be the best.

Comments

  1. ¿A quién pertenecen tus datos en Internet? [eng]…

    Robert Scoble fué expulsado de Facebook porque usaba un script para exportar la información de sus contactos para usarla en otro servicio. Aunque le han vuelto a activar la cuenta, el debate ha saltado: ¿a quién pertenecen esos datos? Hay quien pie…

  2. Your analysis of ownership is spot on. Whenever I post somthing on Facebook, it is like I am giving out a business card or otherwise exchangeing information. I do not post it if I want to keep it private!

    The bigger question is, who owns the servers and networks that host the data? Obviously, Facebook should be able to set policies regarding the useage of it’s database and services, or else the bad guys could have a hay day.

    While I agree that Facebook SHOULD allow as much openness as possible (considering the desires of it’s user base for privacy), they must make the decisions about how it’s network is to be utilized, and CLEARLY publish their usage guidelines. If a user violates those guidelines, Facebook should have the right to terminate their access (and, in extreme cases, even to sue).

    -James Lee Vann

  3. Lawrence, Privacy rights in Europe are no property rights, but a general obligation to treat personal information with confidentiality. You don’t own the information concerning you; but can (somewhat) restrict dissemination and, very important, have a right to get errors in your data corrected.

  4. Lawrence D'Oliveiro says

    Under US law there may be no ownership of personal details, but under European law, there would be. It’s worth noting the fundamental difference: the US has no real privacy law (the Fourth Amendment is a poor excuse for one).

  5. One thing worth adding here is that Facebook has no need to police potential abuse of shared information. There’s a natural mechanism to deal with that: people won’t share information (on Facebook or elsewhere) with people they don’t trust, and people that abuse trust stop being trusted. These are ancient social mechanisms that work adequately on any site where a user gets to choose to expose information only to specific other users. Mechanisms tens of thousands of years old, if not older.

  6. Speaking as an IP attorney, Felten got this exactly right — there is no “ownership” of the facts in question.

    But even if there were, it wouldn’t answer these questions. Consider sites like Flickr. Unlike the facts in Facebook, the photos on Flickr are plainly copyrighted works. But that doesn’t tell you anything about whether the copyright owner is entitled to access Flickr’s servers to make copies of the photos.

    Your ownership in an intangible (copyright or patent) does not come with any right to access particular copies of it that reside elsewhere. Flickr can delete all of your photos, and if you failed to make back-ups, nothing in copyright law would provide you recourse.

  7. I suppose all of this hinges on what Scoble was doing with the data: Was he just trying to get the data out so that he could have all of the contact information in his Google address book, or was he using it for commercial gain (even if it was Plaxo’s commercial gain)?

    I still disagree with Nick Carr. Sure my e-mail address is my e-mail address. But by posting it to Facebook (AND making it available to a specific user by actively friending them!) I’m allowing my “friend” to do as they please with my data. Okay, there are limits, but you can’t argue with the simple action of importing into your address book. Oh, and that “permission” for friends to use the data irrevocable. That’s just how the internet works.

  8. Information can be owned.

    It matters not that it is easy to replicate information. The fact that information can be easily replicated only has a market effect for the sale of valuable information – one that, in hindsight, misguided fools attempted to remedy with copyright and patent around 300 years ago.

    It is copyright that creates the idea that all replicas of a published work belong to the possessor of the ‘original’ from which the replicas were made. This is the real folly, not the idea of owning originals or replicas. One doesn’t own a replica simply because of its provenance. One may trace authorship this way, but not ownership.

    Property ownership arises out of privacy.

    Material and intellectual property belongs to the private manufacturer or purchaser, until they sell it. The owner of property has a natural right to do what they want with their own property, which includes the manufacture of copies. Only the unethical privileges of copyright and patent suspend this natural right to provide commercial benefit.

    Information is just as rivalrous as any material good. The fact that we may both have identical chairs doesn’t interfere with our use of either, neither does the fact that we possess identical CDs. However, if you possess a CD or chair and I don’t, then I can’t possess an identical copy unless you permit one to be made and delivered to me (unless, of course, I know somewhere else where identical CDs or chairs may be obtained). The only difference is that CDs are easier to reproduce than chairs.

    Ownership is not communicated by similarity (patent) or provenance (copyright), but by our natural right to privacy.

    Intellectual property is not an oxymoron.

    Copyright and patent are unethical anachronisms in this digital age.

  9. I am afraid your “It’s worth noting, too, that even today’s expansive intellectual property regimes don’t apply to the data at issue here.” may not be completely true. I believe (IANAL) similar data might be copyrighted under database protection rights (http://en.wikipedia.org/wiki/Database_right), although it would be interesting to discuss whether the protection applies to the database from the point of view of Facebook, or from the point of its user.

  10. It makes no sense at all to apply the concept of ownership to most of this information. Not only do you not own information about your relationships, you can’t even own all of your own identity information, for various reasons I’ve already covered in detail here:

    http://notabob.blogspot.com/2006/01/on-absurdity-of-owning-ones-identity.html

    Thanks to Chris for the tip o’ the hat re: Limited Liability Persona, my definition of which can be found here:

    http://identityblog.burtongroup.com/bgidps/2006/11/the_limited_lia.html

    The idea’s recently been covered in the New York Times, which we noted here:

    http://identityblog.burtongroup.com/bgidps/2007/10/llp-in-the-new-.html

  11. Hooray! What seems to be a fundamental question is being. Does it even make sense to apply the concept of ownership to a lot of this stuff?

    Ownership only seems to be a useful concept in the case of rivalrous resources. That is, a resource that can’t be exploited by different parties simultaneously. If I use it (or have it), you won’t be able to. Examples of non-rivalrous resources are knowledge, facts, and a lot of what being discussed here.

    It’s the reason I titled a talk I do ””Intellectual Property” is an Oxymoron’.

    Lawrence Lessig has a lot to say about this.

  12. News this morning relevant to this controversy:

    http://www.readwriteweb.com/archives/goog-fb-data.php

    “Bombshell: Google and Facebook Join DataPortability.org…

    “The DataPortability Workgroup announced this morning that representatives from both Google and Facebook are joining its ranks.”

  13. Look at this from a technology standpoint; as a server admin I don’t want automated scripts killing my servers. These types of scripts will often take a server to its knees due to the extremely high number of requests. I know for a fact that I would block any script that tried to access the server too fast.

    In my opinion this has nothing to do with the data and more to do with how the script works. What people have to remember is that external scripts sending thousands of requests is a bad thing.

    If people really want their data off of facebook then I think they (facebook) should create an API to allow them to get it off. Scraping pages is a bad way to get data from a site.

  14. There’s also an issue of scale. My work phone number is not a Big Secret; it’s on my business card. Neither is my manager’s phone number; it’s on his business card, and I might have legitimate reasons to give it to other people outside the company. However, we do not have induction; I specifically recall that “the company phonebook” was regarded as a confidential collection of information, not to be shared, published, etc.

    This being a legal thing, it is entirely possible to just draw some arbitary line. Two friends good, four friends bad.

    Another thing to watch out for in the sharing and aggregation of data, is just how powerful little bits of data can be. I saw a talk by Latonya Sweeney on the difficulty of ensuring privacy — all the ways of masking faces, that don’t actually work; how easy it is to identify a person given (say) a birthday and zip code. To me, at least, this was all surprising and non-intuitive.

  15. Facebook is not protecting users’ friend data or the connections users has–they’re protecting email addresses. Email addresses on Facebook have always been in a special class, due to the fact that highly valuable .edu addresses were required until recently. Emails have never been accessible through the API and have been replaced by images to prevent the screen scraping Plaxo attempted by Plaxo.

    Scoble is conflating his ability to export his “social graph” with his ability to extract all the email addresses of all of his friends. Every application a user joins can access her friend’s names and all other non-email information.

    The fact that so much information is available through the normal channels suggests that Plaxo is simply harvesting email addresses to spam. This would not be surprising, given Plaxo’s history of netiquette abuse (if not outright spam).

    Plaxo business model is based on importing your address book and then abusing your friends into joining (“We’re spamming you and you need to sign up with us to opt-out”). When they decided to stop being so abusive, the reason was not that they suddenly realized the error of their ways, but was because they had gotten the user base they needed (the spam had worked):

    …we’ve always known that the update requests were a means to an end — our goal has always been to get as many members as possible so that these e-mails were unnecessary. And it looks like we’re finally getting to that end.
    As of last week, we’ve past 10 million members. We are now growing at over 50,000 users a day. Due to this great growth, the depth of our network, plus our heartfelt desire to be good net citizens, we have started phasing out update requests.
    This feature will probably always exist in some form, but we are no longer aggressively pushing new users to send out e-mails and are adding restrictions to prevent existing users from sending out large batches. Within the next six months (allowing for releases and upgrades to our base), you should see these messages drop to a trickle.

    This statement makes it clear that not only did they realize what they were doing was wrong (“plus our heartfelt desire to be good net citizens”), but they never had any desire to stop until they had gotten what they wanted (“our goal has always been to get as many members as possible so that these e-mails were unnecessary”).

    It appears that this latest scam is another round of email harvesting that will result in another round of spam. This time Scoble is doing their dirty work (what would the response have been if the headlines were “Plaxo banned for harvesting email addresses” instead of “Scoble banned”?)

  16. I agree with your analysis regarding ownership. It does not make sense to try to take a web of relationships among users and say that various aspects of this are owned. In this case I would say that contract law should govern. Whatever the TOS is for Facebook, if the users agreed to it then they should be bound by it. If users don’t like the TOS they can go someplace else. There are a thousand alternatives to Facebook.

  17. The issue that is most apparent from my (European) perspective is a privacy issue. For information that has been voluntarily published by the person it concerns there could be some small privacy issues when the information is republished in another forum to a different audience. It violates some assumptions made during the original publication. Another issue with copying of personal information is the issue of how to keep the information correct. This is not a problem at the original site, but how does one ensure that all copies stay up to date? Are copies of the data deleted when access to the original data is restricted? How does access restriction affect the update process?

    The last question is rhetorical.