Two-Faced
Marc Canter, among other things founder of PeopleAggregator, is squinting at Facebook's Developer Terms of Service trying to figure out: "can we display the list of friends one has in Facebook in PeopleAggregator?"
Clearly this is a bleeding edge issue. No one has ever encountered this before, because there have never been open APIs into social networks.
Let me back up a moment and mention that PeopleAggregator, if you're not familiar with it, builds on open APIs to create a uniquely user friendly and timesaving experience. Just pay a visit to the login page for an example of what I mean. Namely, you can use a flickr, livejournal, or sxore account to log in to PeopleAggregator. No need to populate yet another online account with your data; instead, through the magic of open APIs PeopleAggregator will bring it in for you from one of these other, unaffiliated services. I think I have that basically right anyway, please correct me if I don't. IANAP(rogrammer).
And while I can't say IANAL(awyer), before I turn to Marc's question (it's really two questions), I should emphasize to Marc (though he knows already), and anyone else who might be working with the Facebook API and/or looking at its Developer Terms: IANY(OUR)L(awyer). This is not legal advice. In fact,
I try to provide quality information, but I make no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained in or linked to from Lawgarithms. Legal advice must be tailored to the specific circumstances of each case, and laws are constantly changing, so nothing in Lawgarithms or any other weblog should be used as a substitute for the advice of competent counsel.
Seriously. Before you go putting your families' and employees' livelihoods on the line over issues like this, you must have the specific applicable questions answered by a qualified lawyer who actually represents you. I insist. 'Kay, now that we've got that behind us.
If I understand Marc correctly he's wondering first what the Developer Terms of Service say and/or mean, but also — regardless of those terms — wondering what kind of objections or complaints a developer might get from Facebook users who find their data on a non-Facebook site when they (the users) didn't affirmatively put it there.
Short answer: it looks to me like Facebook has at least tried to address both situations.
The portion of the developer terms Marc quoted seems pretty straightforward. If something (like a friends list) is viewable by someone using the Facebook site in a proper and authorized way (e.g., someone who hasn't hacked into some private database, but is just a regular, law abiding user), then, as far as Facebook is concerned, it's fair game to display it on a non-Facebook site whether you retrieve it with the "Developer Platforms" (including the APIs), or collect it in some other (presumably lawful) way.
So what then of the FaceBook user who might not want, for example, to be identified as their friend's friend on another, non-Facebook site? Well, Facebook's Terms of Use for users attempt to eliminate such objections by saying, essentially, "you put it here and leave it here, it's ours, to do with whatever and redistribute however we like:"
By posting Member Content to any part of the Web site, you automatically grant, and you represent and warrant that you have the right to grant, to the Company an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to use, copy, perform, display, reformat, translate, excerpt (in whole or in part) and distribute such information and content and to prepare derivative works of, or incorporate into other works, such information and content, and to grant and authorize sublicenses of the foregoing.
You may remove your Member Content from the Web site at any time. If you choose to remove your Member Content, the license granted above will automatically expire.
In other words, I wouldn't worry too much about missing Mark Zuckerberg at the TechCrunch party, presumably he would have told you what his site's terms essentially say: as far as Facebook is concerned, it has contracted with users to redistribute their data, including via APIs, if that's what Facebook decides to do. (Nothing in Facebook's Privacy Policy makes me see this any differently.)
My assumptions about what Facebook would say on the subject aside, that shouldn't be the end of the inquiry. It's certainly possible to challenge the enforceability of a site's terms of service, particularly if they're the "browse-wrap" variety, as opposed to the kind where you have to click "I have read...and agree," or the like. (Not being a registered Facebook member, I'm unfamiliar with the particulars of the process, but most sites today are smart and require users to make some affirmative, documentable gesture of agreement.) Moreover, we live today in a dense forest of privacy legislation, and I don't pretend to be familiar with most, let alone all, of it. In other words, it's possible someone could (1) object to the kind of use you describe, and (2) find some legitimate legal basis to challenge the Facebook terms pursuant to which it would take place. I'm personally skeptical about such a challenge's chances of success — we're talking friends lists here, not SSNs — but what do I know? Exactly nothing. Social networking site developers grappling with this issue are right to flag it, consider it, and get appropriate legal advice about it.
Related reading: eff.org/privacy; Wikipedia on Internet privacy (A quick review of those will confirm for you how right Marc is about this being bleeding edge.)