How Not to Obtain Online Consent, or Why Panera Bread Owes Me Free Muffins

When I need to edit an article, I will sometimes park myself at a booth at the local Panera Bread, sipping the decent coffee, snacking on the beautiful (notice I didn't say tasty) pastries, and using the free WiFi. Long ago, I noticed that Panera had made a stupid technological mistake that probably strips it of the right to manage its network lawfully.

Panera tries to extract consent from its users using what is known as a captive portal, the same method used by most hotel and airport WiFi network providers. When a Panera WiFi user first tries to connect to any website, Panera's computers redirect her instead to its own web page with a link to its terms of service (ToS). Only when the user clicks "I agree" may she start surfing.

Compared to some of the other methods Internet providers use for attempting to obtain consent, a captive portal deserves some praise. It is much more likely to be noticed and read than a ToS or privacy policy link buried on a home page (or, as the case may be, not even on the home page). It is better than the paper privacy policies my credit card companies send with their monthly bills, usually along with a half-dozen ads. Unlike either of these methods, a captive portal acts like a virtual stop sign--until you click "I agree," you can go no further. (Of course, calling even a captive portal meaningful consent seems to stretch things if the ToS offered are dozens of pages long.)

But if Panera ever tried to enforce its WiFi ToS--say it got caught monitoring user communications and had to defend against a wiretapping lawsuit or say it was sued for banning a user suspected of downloading porn in violation of the ToS--a court should probably hold that its ToS are unenforceable. Panera has made a simple web design mistake that introduces doubt about what terms are being agreed to by its users.

Like many sites, Panera displays the ToS within a text box. It probably does this to save screen real estate: with a text box, it can allow the user to scroll through a smallish-square rather than be faced with a dauntingly long web page. But carelessly, Panera made its text box EDITABLE! To see what I mean, compare the two text boxes below:

This text box is marked readonly; you should NOT be able to edit this text.
This text box is NOT marked readonly; you should be able to add, delete, and modify this text.

At the very least, Panera will have a hard time proving to a court that a particular customer didn't delete all of the ToS before clicking "I agree." But, there is a crazier possibility: Every time I am faced with Panera's editable ToS, I delete all of the text and replace it with a proposed contract of my own. Here are some of the contracts I have proposed:

• "By allowing me to surf the web using your network, you agree to give me one free muffin every day for the rest of my life."
• "By allowing me to surf the web using your network, you agree to name me CEO of Panera Bread for a day. I choose next Tuesday."
• "By allowing me to surf the web using your network, you agree to change the name of your company to Pantera Bread, and the name of your 'Frontega Chicken' sandwich to 'Cowboys from Hell' Sandwich.'"

I know enough about the http protocol and cgi-bin to know that my modified ToSes probably get transmitted back to a Panera, er, Pantera web server. Are my contracts enforceable? Probably not. But my arguments for enforceability sound no less ridiculous than some of the arguments made by those seeking to enforce click-wrap and buried ToS "contracts".

Excuse me while I go try to claim a free muffin.

Posted by Paul Ohm at 11:39 AM | Comments (14) | TrackBack

The End of Privacy?

I've written an article for the September issue of Scientific American magazine called The End of Privacy? The article is available online here, with a slightly different title: Do Social Networks Bring the End of Privacy?.

The entire issue is devoted to privacy, and there are some other really interesting articles. Here are links to the other articles in the issue:

Whitfield Diffie and Susan Landau, Internet Eavesdropping: A Brave New World of Wiretapping

Steven Ashley, Digital Surveillance: Tools of the Spy Trade

Katherine Albrecht, How RFID Tags Could Be Used to Track Unsuspecting People

Anil K. Jain and Sharath Pankanti, Beyond Fingerprinting: Is Biometrics the Best Bet for Fighting Identity Theft?

Mark A. Rothstein, Tougher Laws Needed to Protect Your Genetic Privacy

Simson L. Garfinkel, Data Fusion: The Ups and Downs of All-Encompassing Digital Profiles

Peter Brown, Privacy in an Age of Terabytes and Terror

Esther Dyson, How Loss of Privacy May Mean Loss of Security

Anna Lysyanskaya, Cryptography: How to Keep Your Secrets Safe

Posted by Daniel J. Solove at 12:03 AM | Comments (0) | TrackBack

Justice Breyer's Information Available on Limewire

It does not take much to have a security breach. Just one person can facilitate it. In this case, someone at a high-end investment firm installed LimeWire at the office. According to AP the breach began at the end of last year and continued to June of this year. Breyer’s birthday and Social Security number were part of the breach. Apparently around 2,000 other clients have also had their data shared on LimeWire.

Again the fact of data leaks or breaches is not so new. But given the high profile of the people involved in this one, there may be a movement to have laws passed about the problem. Remember video rentals matter because of Robert Bork’s encounter with data privacy issues during his nomination for the Supreme Court. This data problem is different from Bork’s. So a legislative response may come but it will likely address the issue of identity theft. On the other hand, if senators, representatives, and White House staffers found that even their legal but perhaps interesting surfing habits were part of public knowledge and gossip, maybe the data collection and Internet monitoring that some think is necessary will be seen a threat. One paper that may be of interest on this idea is Neil Richards’s Intellectual Privacy.

Posted by Deven Desai at 01:01 PM | Comments (0) | TrackBack

The Privacy Paradox

Over at the New York Times's Bits blog, Brad Stone writes:

Researchers call this the privacy paradox: normally sane people have inconsistent and contradictory impulses and opinions when it comes to their safeguarding their own private information.

Now some new research is beginning to document and quantify the privacy paradox. In a talk presented at the Security and Human Behavior Workshop here in Boston this week, Carnegie Mellon behavioral economist George Loewenstein previewed a soon-to-be-published research study he conducted with two colleagues.

Their findings: Our privacy principles are wobbly. We are more or less likely to open up depending on who is asking, how they ask and in what context.

In one interesting experiment, students who were provided strong promises of confidentiality were less forthcoming about personal details than students who weren't provided such promises. The researchers explained this behavior as based on the fact that when an issue is raised in people's minds, they think about it more and are likely to be more concerned about it. Ironically, promising people that their privacy will be protected actually makes them think more about the dangers of their privacy being breached.

There is indeed a growing body of research that examines why people frequently state in polls that they value privacy highly yet in practice trade their privacy away for trinkets or minor increases in convenience. The work of Professor Alessandro Acquisti explores some of the reasons why people might not make rational decisions regarding privacy despite their desire to protect it.

I have also written about this in my new book, UNDERSTANDING PRIVACY (Harvard University Press, May 2008). In particular, I argue that looking at expectations of privacy is the wrong approach toward understanding privacy:

If a more empirical approach to determining reasonable expectations of privacy were employed, how should the analysis be carried out? Reasonable expectations could be established by taking a poll. But there are several difficulties with such an approach. First, should the poll be local or national or worldwide? Different communities will likely differ in their expectations of privacy. Second, people’s stated preferences often differ from their actions. Economists Alessandro Acquisti and Jens Grossklags observe that “recent surveys, anecdotal evidence, and experiments have highlighted an apparent dichotomy between privacy attitudes and actual behavior. . . . [I]ndividuals are willing to trade privacy for convenience or to bargain the release of personal information in exchange for relatively small rewards.” This disjunction leads Strahilevitz to argue that what people say means less than what they do. “Behavioral data,” he contends, “is thus preferable to survey data in privacy.”

But care must be used in interpreting behavior because several factors can affect people’s decisions about privacy. Acquisti and Grossklags point to the problem of information asymmetries, when people lack adequate knowledge of how their personal information will be used, and bounded rationality, when people have difficulty applying what they know to complex situations. Some privacy problems shape behavior. People often surrender personal data to companies because they perceive that they do not have much choice. They might also do so because they lack knowledge about the potential future uses of the information. Part of the privacy problem in these cases involves people’s limited bargaining power respecting privacy and inability to assess the privacy risks. Thus looking at people’s behavior might present a skewed picture of societal expectations of privacy.

Posted by Daniel J. Solove at 01:04 PM | Comments (5) | TrackBack

Do We Need an Internet Ed. Class?

While I was attending the excellent privacy conference Dan Solove and Chris Hoofnagle organized in D.C. a few days ago, it occurred to me that just as one takes driver’s ed. before being able to drive a car, it might make sense to have a required Internet Education class in middle school. Driving is a key way people engage in the economy, and the Internet, especially email and social networking use, is becoming as essential if not more so. Given all the benefits and problems of the Internet from meeting new people and peer production to unfortunate gossiping and dog poop events, it dawned on me that Internet Ed. might fill a gap that appeared as I listened to various people at the conference.

During the two days, several discussions seemed to turn to the way information placed online can offer tremendous benefits but also pose harms. That idea is not so new. But an underlying theme was that this tension is greater than before. Given the increased reputation problems of the Internet, some folks talked of a more paternal approach to reminding people about privacy (or lack of it) on work computers. The problems of PGP and complex privacy policies as opposed to easy-to-read ones as opposed to heavy opt-in ones and how people perceive the differences posed several paradoxes. In other talks people expressed concerns about cutting off the openness that has made the Internet what it is today. Many questioned just how informed people are about privacy and even if informed how much they care. These ideas should be familiar to those interested in privacy, but so many people sharing ideas about an evolving area of the law and truly seeking to find ways to solve problems made the conference invigorating.

For example, Lauren Gelman is working on how online presence operates under a binary system of public or private yet many think of their online presence as limited essentially to those in one’s circle but with a few new people possibly joining the circle. To me it seems that in some cases people might know that anyone could look at one’s pictures, blogs, MySpace pages etc. In others, some might know that but just not expect that outsiders would look. And some may be quite unaware of the way little things can catch fire and draw attention to what had been a small, personal moment. And then it hit me, why not have Internet Ed.?

Internet Ed. at an early stage might address the possible generation gap in understanding what is privacy and how the Internet works. Like driving, using the Internet can open up tremendous possibilities for fun and for work. Like driving, irresponsible or uninformed Internet use can lead to undesired consequences. Like driving, horror stories of how a picture from a drunken party ruined someone’s job prospects may not deter irresponsible Internet behaviors across the board. Still, by setting out the way in which irresponsible or immature behaviors such as sharing too much information about one’s personal life, not checking about how a site uses personal financial information, and childish rants can affect one’s life, people would have some sense of the possible repercussions of their acts. None of this idea is to suggest that people won’t continue to rant etc. regardless of age. And none of this idea is to suggest that people should act the same way at all times under some sort of enforced code of conduct (although the idea behind sites that choose to establish rules and use their community norms to shape the rules seems well in line with some of the benefits of the Internet). Rather, as a friend noted, the Internet may be similar to tattoos and piercings. In the near future many more will have them and so it will not be as big a deal. Still, in some areas of life such as politics and upper management, one may have to explain that largish hole in one’s ear or the tongue sneaking out of one’s collar towards one’s jaw. So Internet Ed. may help bring home the idea that certain acts may seem great and even be great at the time but others, and even the person who liked the act at the time, may see those moments differently later in life.

Image Source: WikiCommons
Author: strngwrldfrwl
License: Creative Commons Attribution ShareAlike 2.0 License.

Cross-posted at Madisonian

Posted by Deven Desai at 10:13 AM | Comments (4) | TrackBack

Is the Computer Fraud and Abuse Act Unconstitutionally Vague?

At the National Law Journal, attorney Nick Akerman (Dorsey & Whitney) contends that the Computer Fraud and Abuse Act (CFAA) indictment of Lori Drew (background about the case is here) is an appropriate interpretation of the statute:

While this may be the first prosecution under the CFAA for cyberbullying, the statute neatly fits the facts of this crime. Drew is charged with violating §§ 1030(a)(2)(C), (c)(2)(B)(2) of the CFAA, which make it a felony punishable up to five years imprisonment, if one "intentionally accesses a computer without authorization . . . , and thereby obtains . . . information from any protected computer if the conduct involved an interstate . . . communication" and "the offense was committed in furtherance of any . . . tortious act [in this case intentional infliction of emotional distress] in violation of the . . . laws . . . of any State."

There is no question that the MySpace network is a "protected" computer as that term is defined by the statute. Indeed, "[e]very cell phone and cell tower is a 'computer' under this statute's definition; so is every iPod, every wireless base station in the corner coffee shop, and many another gadget." U.S. v. Mitra, 405 F.3d 492, 495 (8th Cir. 2005). There is also no question that a violation of MySpace's TOS provides a valid predicate for proving that the defendant acted "without authorization." What the commentators ignored in their critique of this indictment is that the "CFAA . . . is primarily a statute imposing limits on access and enhancing control by information providers." EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003). A company "can easily spell out explicitly what is forbidden." Id. at 63. Thus, companies have the right to post what are in effect "No Trespassing" signs that can form the basis for a criminal prosecution.

If this interpretation of the law is correct, then the law is probably unconstitutionally vague. A vague law is one that either fails to provide the kind of notice that will enable ordinary people to understand what conduct it prohibits; or authorizes or encourages arbitrary and discriminatory enforcement. The CFAA, as construed by the prosecution in the Drew case, will probably be found vague because it authorizes or encourages arbitrary and discriminatory enforcement.

Suppose I put a notice on this post that says: "No attorneys may post a comment to this blog." Suppose Nick Ackerman comes to this site, sees this post, and and writes a comment that is defamatory. Under his theory, he can be prosecuted for violating the CFAA. He has "trespassed" on this site. Moreover, if a blog has a policy that it will not tolerate "rude, uncivil, or off-topic comments," then commenters who make such comments that are tortious (intentional infliction of emotional distress, public disclosure of private facts, false light, defamation, etc.) can be liable for a CFAA violation. Moreover, any use of a website that goes against whatever terms the operator of that site has set forth that constitutes a negligence tort is also criminal.

The problem here is that the CFAA's applicability would be extremely broad -- so broad that the cases likely to be prosecuted would be arbitrary. Since tort law is common law, and is very flexible, broad, and evolving, people would not have adequate notice about what conduct would be legal and not legal. There's a reason why tort law is different from criminal law -- we are willing to accept a lot more ambiguity and uncertainty in tort law than in criminal law, where the stakes involve potential imprisonment.

Moreover, Nick Akerman only focuses on the CFAA § 1030(c)(2)(B)(2), which makes it a felony to exceed authorized access if the offense was committed in furtherance of any tortious act.

The CFAA § 1020(a)(2)(C) makes it a criminal misdemeanor to "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer if the conduct involved an interstate or foreign communication." If I'm interpreting this correctly (and I don't purport to be an expert on the CFAA), under the Drew prosecutor's interpretation of the CFAA, any time a person violates a website's terms of service and access any information from the site, there's a criminal violation. That means that if I post on this blog a notice that says: "No attorneys may access any other parts of this blog other than the front page," and an attorney accesses any other page on my blog, then there's a CFAA violation. Could the law possibly be this broad? I think it would require a narrowing interpretation in order to avoid problems of unconstitutional vagueness.

The CFAA strikes me as a very poorly drafted statute. The Drew indictment demonstrates the problems with the law. Either courts should fix the CFAA interpretively by narrowing its scope, or else strike it down as unconstitutionally vague. But what clearly cannot stand is for the law to be interpreted as the Drew prosecutor seeks to interpret it.

Hat tip: Dan Slater at the WSJ Blog

Posted by Daniel J. Solove at 02:29 PM | Comments (14) | TrackBack

My New Book, Understanding Privacy

I am very happy to announce the publication of my new book, UNDERSTANDING PRIVACY (Harvard University Press, May 2008). There has been a longstanding struggle to understand what "privacy" means and why it is valuable. Professor Arthur Miller once wrote that privacy is "exasperatingly vague and evanescent." In this book, I aim to develop a clear and accessible theory of privacy, one that will provide useful guidance for law and policy. From the book jacket:

Privacy is one of the most important concepts of our time, yet it is also one of the most elusive. As rapidly changing technology makes information more and more available, scholars, activists, and policymakers have struggled to define privacy, with many conceding that the task is virtually impossible.

In this concise and lucid book, Daniel J. Solove offers a comprehensive overview of the difficulties involved in discussions of privacy and ultimately provides a provocative resolution. He argues that no single definition can be workable, but rather that there are multiple forms of privacy, related to one another by family resemblances. His theory bridges cultural differences and addresses historical changes in views on privacy. Drawing on a broad array of interdisciplinary sources, Solove sets forth a framework for understanding privacy that provides clear, practical guidance for engaging with relevant issues.

Understanding Privacy will be an essential introduction to long-standing debates and an invaluable resource for crafting laws and policies about surveillance, data mining, identity theft, state involvement in reproductive and marital decisions, and other pressing contemporary matters concerning privacy.

Here's a brief summary of Understanding Privacy. Chapter 1 (available on SSRN) introduces the basic ideas of the book. Chapter 2 builds upon my article Conceptualizing Privacy, 90 Cal. L. Rev. 1087 (2002), surveying and critiquing existing theories of privacy. Chapter 3 contains an extensive discussion (mostly new material) explaining why I chose the approach toward theorizing privacy that I did, and why I rejected many other potential alternatives. It examines how a theory of privacy should account for cultural and historical variation yet avoid being too local in perspective. This chapter also explores why a theory of privacy should avoid being too general or too contextual. I draw significantly from historical examples to illustrate my points. I also discuss why a theory of privacy shouldn't focus on the nature of the information, the individual's preferences, or reasonable expectations of privacy. Chapter 4 consists of new material discussing the value of privacy. Chapter 5 builds on my article, A Taxonomy of Privacy, 154 U. Pa. L.. Rev. 477 (2006). I've updated the taxonomy in the book, and I've added a lot of new material about how my theory of privacy interfaces not only with US law, but with the privacy law of many other countries. Finally, Chapter 6 consists of new material exploring the consequences and applications of my theory and examining the nature of privacy harms.

Understanding Privacy is much broader than The Digital Person and The Future of Reputation. Whereas these other two books examined specific privacy problems, Understanding Privacy is a general theory of privacy, and I hope it will be relevant and useful in a wide range of issues and debates.

For more information about the book, please visit its website.

Posted by Daniel J. Solove at 12:03 AM | Comments (5) | TrackBack

The Digital Person Free Online!

Last month, Yale University Press allowed me to put my book, The Future of Reputation: Gossip, Rumor, and Privacy on the Internet online for free. The experiment has gone quite well. The book's website received a big bump in traffic, with many people downloading one or more chapters. The book's sales picked up for several weeks after it was placed online for free. Sales have now returned to about the same level as before the book went online.

I'm delighted to announce that NYU Press has allowed me to put my book, The Digital Person: Technology and Privacy in the Information Age (NYU Press, 2004) online for free.

Here's a brief synopsis of The Digital Person from the book jacket:

Seven days a week, twenty-four hours a day, electronic databases are compiling information about you. As you surf the Internet, an unprecedented amount of your personal information is being recorded and preserved forever in the digital minds of computers. These databases create a profile of activities, interests, and preferences used to investigate backgrounds, check credit, market products, and make a wide variety of decisions affecting our lives. The creation and use of these databases--which Daniel J. Solove calls “digital dossiers”--has thus far gone largely unchecked. In this startling account of new technologies for gathering and using personal data, Solove explains why digital dossiers pose a grave threat to our privacy.

Digital dossiers impact many aspects of our lives. For example, they increase our vulnerability to identity theft, a serious crime that has been escalating at an alarming rate. Moreover, since September 11th, the government has been tapping into vast stores of information collected by businesses and using it to profile people for criminal or terrorist activity. In THE DIGITAL PERSON, Solove engages in a fascinating discussion of timely privacy issues such as spyware, web bugs, data mining, the USA-Patriot Act, and airline passenger profiling.

THE DIGITAL PERSON not only explores these problems, but provides a compelling account of how we can respond to them. Using a wide variety of sources, including history, philosophy, and literature, Solove sets forth a new understanding of what privacy is, one that is appropriate for the new challenges of the Information Age. Solove recommends how the law can be reformed to simultaneously protect our privacy and allow us to enjoy the benefits of our increasingly digital world.

Book reviews are collected here.

Posted by Daniel J. Solove at 12:08 AM | Comments (0) | TrackBack

Ranking Banks Based on Incidents of Identity Theft

Chris Hoofnagle just released a new report entitled Measuring Identity Theft at Top Banks. In the report, he ranks the top 25 US banks according to their relative incidence of identity theft. The report is based on consumer-submitted complaints to the FTC where the victim identified an institution.

In a previous paper called Identity Theft: Making the Unknown Knowns Known, Chris argued that there should be mandatory public disclosure of identity theft statistics by banks. Since the financial institutions don't currently release such data, we have no idea which institutions are being more effective at reducing identity theft than others.

For his new paper, Chris made a FOIA request last year to the FTC for two years of consumer complaint data. The FTC found it too burdensome to release two years' worth of data, so "the request was limited to three randomly-chosen months in 2006, January, March, and September. These months included data from 88,560 complaints, with 46,262 names of institutions were identified by victims." Chris's paper is based on an analysis of this data.

From the abstract:

There is no reliable way for consumers, regulators, and businesses to assess the relative incidence of identity fraud at major financial institutions. This lack of information prevents more vigorous competition among institutions to protect accountholders from identity theft. As part of a multiple strategy approach to obtaining more actionable data on identity theft, the Freedom of Information Act was used to obtain complaint data submitted by victims in 2006 to the Federal Trade Commission. This complaint data identifies the institution where impostors established fraudulent accounts or affected existing accounts in the name of the victim. The data show that some institutions have a far greater incidence of identity theft than others. The data further show that the major telecommunications companies had numerous identity theft events, but a metric is lacking to compare this industry with the financial institutions.

This is a first attempt to meaningfully compare institutions on their performance in avoiding identity theft. This analysis faces several challenges that are described in the methods section. The author welcomes constructive criticism, suggestions, and comments in an effort to shine light on the identity theft problem.

This is a fantastic endeavor, as more information on how institutions are protecting against identity theft is sorely needed. Chris admits that his study has some limitations and could be improved if financial institutions would supply more information to the public. But based on the information Chris could find out, this report is quite revealing. Hopefully, it will spark more transparency from financial institutions in the future.

Here is one of many charts in the paper. The chart below is of incidents of identity theft relative to the size of each institution.

Posted by Daniel J. Solove at 11:06 AM | Comments (1) | TrackBack

Coming Back from the Dead

Lazarus had it easy. Not so for Laura Todd, who has been trying to come back from the dead for nearly a decade. According to WSMV News in Nashville:

According to government paperwork, Laura Todd has been dead off and on for eight years, and Todd said there's no end to the complications the situation creates.

“One time when I (was) ruled dead, they canceled my health insurance because it got that far,” she said.

Todd’s struggle started with a typo at the Social Security administration. She said the government has assured her since the problem that they have deleted her death record, but she said the problems keep cropping up.

On Wednesday, the IRS once again rejected her electronic tax return. She said she’s gone through it before.

“I will not be eligible for my refund. I'm not eligible for my rebate. I mean, I can't do anything with it,” she said.

Channel 4’s Nancy Amons first reported about Todd’s ordeal last week, but Amons has since found out more about how common the problem is.

According to a government audit, Social Security had to resurrect more than 23,000 people in a period of less than two years. The number is the approximate equivalent to the population of Brentwood.

The audit said the lack of documentation in the Social Security computer makes it impossible for the government's auditors to determine if the people are dead or alive.

But some of those who are alive have found more complications after their resurrection.

Illinois resident Jay Liebenow was also declared dead. He said Todd is now more vulnerable to identity theft because after someone dies, Social Security releases that person’s personal information on computer discs. He said the information is sold to anyone who wants it, like the Web site Ancestry.com.

One of the problems with modern recordkeeping is that although computers make things more efficient, they compound the effects that errors have on people's lives. The difficulty is that the law currently does not afford people with sufficient power to clean up mistakes in their records. Since information is so readily transferred between entities, an error that is corrected in one database has often migrated to another database before the correction. The error doesn't die. Instead, you do.

Responsibility should be placed on every entity that maintains records to ensure that information is correct and that errors are promptly fixed. Moreover, when information is shared with others, the one sharing the information should have duties to inform the others of the error; and those receiving the data should have a duty to check for corrections in the data from the source.

Right now, we're living in a bureaucratic data hell, and that's because that there aren't sufficient incentives for entities to be careful with the records they keep about people.

Image: The Resurrection of Lazarus by Vincent van Gogh, 1889-90, from Wikicommons.

Posted by Daniel J. Solove at 12:04 AM | Comments (0) | TrackBack

Facebook Applications: Another Privacy Concern

Recently, I've been complaining about Facebook's mishaps regarding privacy. Back in 2006, Facebook sparked the ire of over 700,000 members when it launched News Feeds. In 2007, Facebook launched Beacon and Social Ads, sparking new privacy outcries. An uprising of Facebook users prompted Facebook to change its policies regarding Beacon. For more about Facebook's recent privacy issues, see my post here.

But that's not all. Over at CNET, Chris Soghoian reports about some severe privacy concerns with Facebook applications. An application (or "app" for short) is a program that is created by a third party that adds interesting features to one's profile. These apps have become quite popular with Facebook users. But they come with some very serious potential dangers. Soghoian writes:

[A] new study suggests there may be a bigger problem with the applications. Many are given access to far more personal data than they need to in order to run, including data on users who never even signed up for the application. Not only does Facebook enable this, but it does little to warn users that it is even happening, and of the risk that a rogue application developer can pose. . . .

In order to install an application, a Facebook user must first agree to "allow this application to...know who I am and access my information." Users not willing to permit the application access to all kinds of data from their profile cannot install it onto their Facebook page.

What kind of information does Facebook give the application developer access to? Practically everything. . . .

The applications don't actually run on Facebook's servers, but on servers owned and operated by the application developers. Whenever a Facebook user's profile is displayed, the application servers contact Facebook, request the user's private data, process it, and send back whatever content will be displayed to the user. As part of its terms of service, Facebook makes the developers promise to throw away any data they received from Facebook after the application content has been sent back for display to the user.

So when you use a third party application, you basically must put your trust in that third party to follow Facebook's rules in good faith. In other words, Facebook users use applications at their own risk.

But what if an application is created by some hacker in Russia? Or is designed by a creepy child molester to harvest people's personal information? Should Facebook be doing more to protect users against the bad-apple application developers?

Soghoian notes that in many cases, applications are being given access to much more personal data than they actually need to function:

[A]s researchers from the University of Virginia have detailed in a recent report, Facebook provides applications with access to far more private user information than they need to function. Adrienne Felt, a student and lead researcher on the project, told me that of the top 150 applications they examined in October 2007, "8.7 percent didn't need any information; 82 percent used public data (name, network, list of friends); and only 9.3 percent needed private information (e.g., birthday). Since all of the applications are given full access to private data, this means that 90.7 percent of applications are being given more privileges than they need."

But that's not the end of the problem. There's more:

Facebook's Web site and lengthy application terms of service curiously fail to mention something rather important. In addition to providing the application developer access to most of your private profile data, you also agree to allow the developer to see private data on all of your friends too.

Many Facebook users set their profiles to private, which stops anyone but their friends from seeing their profile details. This is a great privacy feature that can protect users from cyberstalkers and is completely gutted by the application system. To restate things--if you set your profile to private, and one of your friends adds an application, most of your profile information that is visible to your friend is also available to the application developer--even if you yourself have not installed the application.

The good news is that Facebook lets you configure the amount of your own private data that your friend's applications can see. The bad news is that it's hidden away, requiring several clicks through menus to find a page listing specific privacy settings (Privacy -> Applications -> Other Applications). Furthermore, the default values are extremely lax, such that a user who has yet to discover the preference page is essentially sharing her entire profile by default.

This friend data-sharing "feature," and the ability to protect against it, isn't mentioned anywhere else on Facebook's site, nor are users informed about it when they install an application.

Soghoian's story hasn't gained a lot of traction, and an outcry hasn't yet ensued over Facebook's policies for its applications. I was recently on a panel with Chris Kelly, Facebook's Chief Privacy Officer, at the Advisory Committee to the Congressional Internet Caucus's State of the Net Conference. The issue of applications didn't come up, so unfortunately, I didn't have the opportunity to speak with him about it. Facebook's general position on privacy seems to be that they are being transparent about the privacy risks their users are facing, that they offer their users a choice, and that when there's an outcry over privacy, they respond. All these things are true, but there are flaws in this approach.

First, the notice about privacy risks currently isn't effective. At the panel, I complained that privacy policies are woefully ineffective at informing consumers because nobody reads them. In a humorous moment, panelist and FTC Commissioner Jon Leibowitz, who uses Facebook, admitted that he hadn't yet read Facebook's privacy policy.

Second, the choice users have is often difficult to make, as Soghoian demonstrates in his article. Moreover, the choices consumers are given are often all-or-nothing, take-it-or-leave-it choices that encourage often ill-informed users not to opt out or to agree to use a feature such as an application. But for many users, they may prefer a better menu of choices, such as the ability to use an application but not surrender all of their personal information or that of their friends.

Third, I think that the better privacy strategy is for companies to think proactively about privacy, rather than to wait until the people are banging on the castle doors calling for the king's head. The older generation of Information Age companies -- Microsoft and ChoicePoint for example -- have learned from their privacy fiascoes and now are attempting to embrace privacy rather than resist it. But the newer generation of companies, such as Facebook and others, do not seem to have learned these lessons.

Posted by Daniel J. Solove at 12:24 PM | Comments (2) | TrackBack

Facebook's Beacon, Blockbuster, and the Video Privacy Protection Act

The news has been buzzing lately about Facebook's Beacon, where participating websites share personal information with Facebook. Beacon originally had a poor notice and opt-out policy, but after significant public criticism, Facebook changed to an opt-in policy. Even under the new opt-in policy, however, the participating companies are still turning data over to Facebook, and that spells potential trouble for at least one of the 40 companies in the Beacon program -- Blockbuster Video.

Over at Laboratorium, Professor James Grimmelmann (NY Law School) has an excellent post arguing that Blockbuster's participation in Facebook's Beacon violates the Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710. James writes:

The VPPA states:

A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable….

18 U.S.C. § 2710(b)(1). The important first question is who’s a “video tape service provider.” That’s defined in paragraph (a)(4):

[T]he term “video tape service provider” means any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials. . . .

Blockbuster clearly qualifies as a video tape service provider. To the extent it transmits information to Facebook about a customer's video purchases -- no matter what Facebook ultimately does with that data (i.e. regardless of whether it appears in a person's profile, is stored by Facebook in a database, or is deleted), Blockbuster could be liable under VPPA. The statute is an opt-in statute, requiring that the customer provide "informed written consent . . . at the time the disclosure is sought" in order for the disclosure to be permissible.

James also analyzes whether Facebook could be liable as well:

There’s the joint enterprise theory; since Facebook and Blockbuster acted together, and Blockbuster is liable, so too is Facebook. There’s a split in the VPPA caselaw as to whether liability runs only against the video tape service provider, or can run also against the person who induced the disclosure.

James concludes:

Put this all together, and the legal situation looks a bit bleak for Facebook and Blockbuster. The VPPA provides damages of $2,500 per violation, plus punitive damages and attorneys’ fees. I have no idea how many movies wound up in people’s news feeds, but it doesn’t have to be too many for the total to hurt. Class action lawyers, start your engines.

Posted by Daniel J. Solove at 02:55 PM | Comments (6) | TrackBack

Facebook -- the New DoubleClick?

I previously complained about Facebook's Beacon and Social Ads, and last week Facebook appeared to back down (at least from Beacon) by changing its policy and having users opt-in before their activities on other websites is broadcast on their profiles. I applauded Facebook's change of heart.

But there are more disturbing aspects of Beacon that have not been changed. According to Macworld:

If you think that just because you have never signed up for Facebook you’re immune to the tracking and collecting of user activities outside of this popular social networking site, think again.

Facebook’s controversial Beacon ad system tracks activities from all users in its third-party partner sites, including from people who have never signed up with Facebook or who have deactivated their accounts, CA has found.

Beacon captures detailed data on what users do on these external partner sites and sends it back to Facebook along with users’ IP addresses, Stefan Berteau, senior research engineer at CA’s Threat Research Group, said Monday in an interview.

This happens even if users delete the Facebook cookie. “The Facebook Javascript [code] is still called by the affiliate site and the information is passed in,” he said. In the case of users without accounts or with deactivated accounts, the data isn’t tied to a Facebook ID, he said.

However, it is well-known that IP addresses provide a variety of information about users, and have in some cases been used to identify individuals.

The information captured by Beacon in these cases includes the addresses of Web pages visited by the user and a string with the action taken in the partner site, Berteau said. . . .

Over the weekend, Facebook confirmed that Berteau’s report on Friday was accurate, but said that it deletes the data it gets under these circumstances.

Still, Friday’s findings deepened the privacy concerns surrounding Beacon since its introduction several weeks ago. And the admission Monday added to the concerns, since it contradicted what had, until then, been the official company line about this issue.

For more, see Michael Zimmer's post.

A while back, DoubleClick generated many privacy complaints. DoubleClick used information about people's websurfing habits to target ads on various websites. Facebook's Beacon appears to be a related incarnation of the DoubleClick advertising model.

Facebook is not the only one to blame with Beacon. About 40 websites participate in the Beacon program, including:

* Blockbuster
* CBS Interactive (CBSSports.com & Dotspotter)
* Citysearch
* Fandango
* LiveJournal
* Mercantila
* National Basketball Association
* NYTimes.com
* Overstock.com
* Sony Online Entertainment LLC
* Sony Pictures
* TripAdvisor
* Travelocity
* TypePad
* WeddingChannel.com

For a more complete list of these companies, see this post on the Consumerist blog.

These companies are disclosing their customer data with Facebook -- often without their users' knowledge or consent. This is possible because there is scant regulation on what most companies can do with your personal data. The law basically allows them to do whatever they want with it. Most companies have privacy policies, which tell you how they use the information. If a company violates its privacy policy, then the FTC can bring an action, but privacy policies are written in vague terms that often allow for a lot of information sharing. The current system of protecting privacy of personal information is referred to by industry as "notice and choice." But the notice is often buried in lengthy and verbose privacy policies that most consumers don't read; and there is often little choice consumers have other than to take it or leave it. In other words, there's not much notice and not much choice.

Hat tip: Pogo Was Right

Posted by Daniel J. Solove at 12:22 PM | Comments (1) | TrackBack

Facebook Listens and Responds

I'm quite pleased to learn that Facebook has come to a privacy epiphany. I've been blogging a lot lately about the privacy problems with Facebook's new features -- Beacon and Social Ads:
* Facebook's Beacon: News Feeds All Over Again?
* The Facebook-Fandango Connection: Invasion of Privacy?
* Facebook and the Appropriation of Name or Likeness Tort
* The New Facebook Ads -- Starring You: Another Privacy Debacle?

Facebook recently announced that it is changing the way it obtains people's consent before it uses or discloses their personal information. In particular, its change in policy involves Beacon. According to the AP:

More than 40 different Web sites, including Fandango.com, Overstock.com and Blockbuster.com, had embedded Beacon in their pages to track transactions made by Facebook users.

Unless instructed otherwise, the participating sites alerted Facebook, which then notified a user's friends within the social network about items that had been bought or products that had been reviewed.

Facebook thought the marketing feeds would help its users keep their friends better informed about their interests while also serving as "trusted referrals" that would help drive more sales to the sites using the Beacon system.

But thousands of Facebook users viewed the Beacon referrals as a betrayal of trust. Critics blasted the advertising tool as an unwelcome nuisance with flimsy privacy protections that had already exasperated and embarrassed some users.

Some users have already complained about inadvertently finding out about gifts bought for them for Christmas and Hanukkah after Beacon shared information from Overstock.com. Other users say they were unnerved when they discovered their friends had found out what movies they were watching through purchases made on Fandango.

Peter Lattman of WSJ blog was one of the ones caught off guard by Beacon, when he discovered to his dismay that Facebook announced to his friends that he bought tickets to Bee Movie on Fandango.

According to the New York Times:

Under Beacon, when Facebook members purchase movie tickets on Fandango.com, for example, Facebook sends a notice about what movie they are seeing in the News Feed on all of their friends’ pages. If a user saves a recipe on Epicurious.com or rates travel venues on NYTimes.com, friends are also notified. There is an opt-out box that appears for a few seconds, but users complain that it is hard to find.

The New York Times story explains Facebook's change in policy:

Faced with its second mass protest by members in its short life span, Facebook, the enormously popular social networking Web site, is reining in some aspects of a controversial new advertising program.

Within the last 10 days, more than 50,000 Facebook members have signed a petition objecting to the new program, which sends messages to users’ friends about what they are buying on Web sites like Travelocity.com, TheKnot.com and Fandango. The members want to be able to opt out of the program completely with one click, but Facebook won’t let them.

Late yesterday the company made an important change, saying that it would not send messages about users’ Internet activities without getting explicit approval each time.

It appears that Facebook has moved from an opt-out to an opt-in system -- users will have to affirmatively give their consent before their data is disclosed. This is a very positive development.

Over at the New York Times's Bits blog, Louise Story has a very interesting post about the evolution of Facebook's Beacon and how Facebook has been continually improving the way it obtains user consent. At the end of her post, she notes that while Facebook has implemented an opt-in system for Beacon, it will not allow users to universally opt-out of Beacon:

Facebook executives tell reporters that users who ignore the alert boxes will no longer be considered to have said “yes,” even after two days. If users ignore the alert box, Facebook says it will not post the news of their purchases to their friends. This is a big change, if implemented correctly. Users will still be hassled by the alert boxes from Facebook on its partner sites, but ideally they can ignore them now and not worry about their purchases being shared.

Facebook executives say they do not want to add a universal opt-out button because then users would not be able to try out Beacon on different sites to see what it can offer. One Facebook executive predicts that consumers may “fall in love” with Beacon once they understand it. Only time will tell.

The opt-in is a big step in the right direction, but I do hope that Facebook will rethink its policy of not allowing users a universal opt-out.

Posted by Daniel J. Solove at 10:35 AM | Comments (0) | TrackBack

Facebook's Beacon: News Feeds All Over Again?

I recently blogged about Facebook's Beacon, where it adds information to user profiles of their purchases at participating external websites such as Fandango. Beacon is starting to spark a privacy outcry among Facebook users. From the AP:

Some users of the online hangout Facebook are complaining that its two-week-old marketing program is publicizing their purchases for friends to see.

Those users say they never noticed a small box that appears on a corner of their Web browsers following transactions at Fandango, Overstock and other online retailers. The box alerts users that information is about to be shared with Facebook unless they click on "No Thanks." It disappears after about 20 seconds, after which consent is assumed.

Users are given a second notice the next time they log on to Facebook, but they can easily miss it if they quickly click away to visit a friend's page or check e-mail.

Back in 2006, Facebook rolled out a new feature called News Feeds that sparked a privacy outcry among its users and prompted Facebook to issue a letter of apology. Perhaps it is deja vu all over again with Beacon. According to the AP story:

Users are able to decline sharing on a site-by-site basis, but can't withdraw from the program entirely. . . .

Liberal advocacy group MoveOn.org formed a protest group Tuesday and had more than 6,000 members by Wednesday. The group is calling on Facebook to stop revealing online purchases and letting companies use names for endorsements without "explicit permission."

"We want Facebook to realize that their users are rightly concerned that private information is being made public," MoveOn spokesman Adam Green said, adding that Facebook could quell concerns by seeking "opt in" consent rather than leaving it to users to "opt out" by taking steps to decline sharing.

Maybe Facebook should realize something that strikes many as common sense -- if people want something to appear in their profiles, they'll put it there themselves.

Posted by Daniel J. Solove at 06:27 PM | Comments (0) | TrackBack

The Facebook-Fandango Connection: Invasion of Privacy?

Facebook recently rolled out a new advertising program called Social Ads, where Facebook users' images, names, and words are used to help advertise products and services. I blogged about Facebook's Social Ads here and here, contending that they are likely a violation of the tort of appropriation of name or likeness as well as the right to publicity tort.

Peter Lattman at the WSJ Blog has a great new post about Facebook that throws in another even more troubling wrinkle:

Last Sunday the Law Blog purchased three tickets to “Bee Movie” on Fandango, the movie site. After we did this, Facebook automatically updated our profile to say, “Peter bought ‘Bee Movie’ on Fandango.”

Huh? Did we want everyone on Facebook to know our movie-buying habits? Not really. But it seems we agreed to this. According to Fandango’s privacy policy, which we agreed to by using the site, “If you are a member of a social network service (such as Facebook, MySpace, etc.) or you use other Internet sites where you have authorized them to gather information about your online behavior on Fandango . . . Fandango may share information regarding your activities . . . with those third parties pursuant to your authorization.”

Then we checked out our privacy settings on Facebook. Under “Privacy Settings for External Websites,” there’s a Fandango icon, indicating that we’ve agreed to have our actions on Fandango sent to our Facebook profile. We changed our profile, mandating that they never — never! — do this again.

This case illustrates why the current legal regime regulating personal information at most websites is so deeply flawed. The default settings are set to allow information sharing and disclosure, with users often completely unaware of how their information is going to be used. Businesses frequently tout how they are protecting privacy by providing users with "notice and choice" about how their information will be collected, used, and disseminated. Yet the system rarely results in informed consumers or meaningful choices.

So imagine: You go to Fandango and buy tickets to see a movie -- and then all of a sudden your purchase is being revealed publicly to everybody you know on Facebook. You probably didn't even know that Facebook had this deal with Fandango. What if more websites like Fandango start to collude with Facebook? Does this mean that every time we visit a website, every time we make a purchase, the information starts showing up in our Facebook profiles and on our friends' Facebook profiles?

At least Social Ads, as I understood it, involved people publicly stating they liked or used a product. This is still problematic, for the reasons I discussed in my posts -- being used in an ad unwittingly is a harm even if one has publicly praised the things being advertised in the past. But now Facebook is taking things one step beyond by exposing people's personal information to the public. Perhaps Peter Lattman doesn't want the world to know that he saw Bee Movie. Perhaps he does. But this is something he should decide, not the corporate officials at Facebook or Fandango.

"Poor Peter," Fandango and Facebook will say, "But you should have read our privacy policies! It's all your fault Peter." Fandango's privacy policy states:

If you are a member of a social network service (such as Facebook, MySpace, etc.) or you use other Internet sites where you have authorized them to gather information about your online behavior on Fandango (for instance, to notify your friends that you have viewed a video or bought movie tickets), including participation in any behavioral reporting program that they may operate on or off of their own site (i.e., Facebook Beacon, etc.), Fandango may share information regarding your activities on our Site or other Service with those third parties pursuant to your authorization, and they may associate that information with Personally Identifiable Information they already have about you (such as your Facebook Profile) and use it to improve their site or services or for other purposes. Fandango does not control the privacy policies of such third parties, and their privacy policies will govern their use of your information once it has been transmitted by Fandango. Fandango assumes no responsibility or liability for the actions of such third parties with respect to their use of your information or otherwise. Accordingly, make sure you are aware of and comfortable with the privacy policies of any third parties that you authorize to gather information from Fandango.

Get that? If you don't like it, Fandango is saying you should take it up with Facebook. This paragraph is buried in a very lengthy policy of 2474 words. But if you've used Fandango, you've agreed to it, whether you read it or not. According to the policy:

When you use the Site or other Service, you are accepting the terms and conditions of this Privacy Policy, and Fandango will have the right to use your Personally Identifiable Information or other information about you as described in this Privacy Policy.

So Fandango passes the buck to Facebook. On to Facebook then. Facebook's privacy policy clocks in at 3514 words. Plus, you can't just read that. You also need to read the Terms of Use (a mere 6445 words). And then check your default settings, which are preset to maximize the exposure of your information. And of course, the privacy policies of Facebook, Fandango, and any other website that might later share information with Facebook are subject to change at moment's notice, all without notifying you of the change!

So read up! Read often! Does this really make sense as a meaningful way to protect consumer privacy?

There's another way to protect people's privacy -- opt-in. If Fandango wants to share your information with Facebook, it should ask for your consent first before doing so. Simply providing a privacy policy, a verbose and lengthy document that nobody reads and that is subject to change at any moment isn't sufficient. You don't consent just because they assume you do. If Facebook wants to disclose what you're doing and buying on other websites, or use your name or image in an ad, then it should ask you. Instead, these companies hide behind thousands of words of legalese, claiming that by merely providing a little link to these policies at the bottom of their websites, you've consented to them the second you start using the site. This isn't meaningful consent. And it isn't a meaningful way to protect consumer privacy.

Posted by Daniel J. Solove at 01:57 PM | Comments (3) | TrackBack

Facebook and the Appropriation of Name or Likeness Tort

A few days ago, I posted about Facebook's new Social Ads and I argued that they might give rise to an action under the appropriation of name or likeness tort. The most common formulation of the appropriation tort is defined in the Restatement (Second) of Torts § 652C: "One who appropriates to his own use or benefit the name or likeness of another is subject to liability to the other for invasion of his privacy."

A related tort, a spin-off of appropriation, is the "right of publicity" which as defined by the Restatement (Third) of the Law of Unfair Competition § 46: "One who appropriates the commercial value of a person's identity by using without consent the person's name, likeness, or other indicia of identity for purpose of trade is subject to liability for [monetary and injunctive] relief."

These two torts have sometimes been confused with each other, but the basic difference is that appropriation protects one's dignitary interests in not desiring to have one's identity exploited and used for another's benefit whereas the right of publicity protects a person's property interest in the commercial value of her identity.

Both torts are potentially applicable to Facebook's Social Ads.

Over at Digital Daily, John Paczkowski discusses my post and adds:

Now Facebook claims no personally identifiable information is shared with an advertiser in creating a Social Ad. “Facebook has always empowered users to make choices about sharing their data, and with Facebook Ads we are extending that to marketing messages that appear on the site,” the company explains. “Facebook users will only see Social Ads to the extent their friends are sharing information with them.” That’s certainly a thoughtful assurance. But it doesn’t exactly address the issue of Facebook appropriating user identities for its own benefit.

At the NYT''s Bits, Saul Hansell discusses the response of Chris Kelly, the chief privacy officer of Facebook:

Mr. Kelly said the advertisements are simply a “representation” of the action users have taken: choosing to link themselves to a product. He added that in many states, consenting to something online is now seen as the equivalent of written consent.

And he argued that it would be difficult for someone used in one of these ads to object because that person had already chosen to publicly identify themselves with the brand doing the advertising.

“We are fairly confident that our operation is well presented to users and that they can make their own choices about whether they want to affiliate with brands that put up Facebook pages,” Mr. Kelly said.

I don't agree with Kelly's take on the law. Suppose Michael Jordan says on national TV that he likes Wheaties. Does this allow Wheaties to use his image on its cereal box or in a commercial? The answer is no. The fact that Jordan says he likes Wheaties can be used in a news story; it can be used in a biography of Jordan. But it cannot be used in a commercial advertisement. Comment (c) to the Restatement's section on appropriation states that "the defendant must have appropriated for his own use or benefit the reputation, prestige, social or commercial standing, public interest or other values of the plaintiff's name or likeness." That's exactly what's being done with Social Ads. They are not merely reporting facts (which is ok under appropriation and publicity); instead, they are using the reputation and standing of people to promote commercial products and services.

The fact that a person publicly states that she likes a product is not equivalent to that person's consent to be used in an advertisement. Otherwise, Coca Cola could snap a photo of a celebrity drinking a can of Coke and then use the photo in its ad campaign without paying the celebrity. That celebrity's lawyers would be licking their chops if that were to happen.

Moreover, the fact that a person publicly indicates liking for a product doesn't make the appropriation or right of publicity torts inapplicable. There is no element of these torts that requires that the information be private. The torts are designed to rectify the exploitation of a person's identity, not to remedy the disclosure of secrets.

This doesn't mean that Facebook users will have an easy case. Proving damages might be difficult. (Professor Bill McGeveran has some thoughts about the problems in establishing damages here.) Facebook might try to argue that users consented to the ads under its terms of service. According to its terms of service:

By posting User Content to any part of the Site, you automatically grant, and you represent and warrant that you have the right to grant, to the Company an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to use, copy, publicly perform, publicly display, reformat, translate, excerpt (in whole or in part) and distribute such User Content for any purpose on or in connection with the Site or the promotion thereof, to prepare derivative works of, or incorporate into other works, such User Content, and to grant and authorize sublicenses of the foregoing.

I am not a contracts expert, so I don't know how broadly this might be interpreted and whether it would extinguish any appropriation or right of publicity claims.

But the reasons offered by Facebook's privacy counsel don't strike me as persuasive at all.

Moreover, I'm not sure that this is a wise policy for Facebook. Why piss of users by unwittingly using them in ads when Facebook could readily obtain their consent? Many users would probably be happy to be used in Social Ads. If so, getting them to say yes would be easy. If users aren't happy with it, then is it really a good idea to use them in these ads? In other words, asking for people's consent might not just be the law, it might be the wisest policy as well.

Posted by Daniel J. Solove at 12:27 AM | Comments (3) | TrackBack

The New Facebook Ads -- Starring You: Another Privacy Debacle?

Facebook recently announced a new advertising scheme. Instead of using celebrities to hawk products, it will use . . . you! That's right, pictures of you and your friends will appear on Facebook ads to make products more enticing to Facebook customers.

As Facebook's website describes its new "Social Ads" program:

Facebook Social Ads allow your businesses to become part of people's daily conversations. Ads can be displayed in the left hand Ad Space — visible to users as they browse Facebook to connect with their friends — as well as in the context of News Feed — attached to relevant social stories. The social stories, such as a friend's becoming a fan of your Facebook Page or a friend's taking an action on your website, make your ad more interesting and more relevant. Social Ads are placed in highly visible parts of the site without interrupting the user experience on Facebook.

Here's the sample ad that Facebook includes on its social ad description page:

According to the NY Times:

Facebook wants to put your face on advertisements for products that you like.

Facebook .com is a social networking site that lets people accumulate “friends” and share preferences and play games with them. Each member creates a home page where he or she can post photographs, likes and dislikes and updates about their activities.

Yesterday, in a twist on word-of-mouth marketing, Facebook began selling ads that display people’s profile photos next to commercial messages that are shown to their friends about items they purchased or registered an opinion about.

For example, going forward, a Facebook user who rents a movie on Blockbuster.com will be asked if he would like to have his movie choice broadcast out to all his friends on Facebook. And those friends would have no choice but to receive that movie message, along with an ad from Blockbuster.

At this point in reading the article, it seems as though participation in the ads (by the person being used in the ad) is fully consensual. But the article goes on to say:

Facebook says that many of its 50 million active users already tell friends about particular products or brands they like, and the only change will be that those communications might start to carry ad messages from the companies that sell them. Facebook is letting advertisers set up their own profile pages at no charge and encouraging companies like Blockbuster, Condé Nast and Coca-Cola to share information with Facebook about the actions of Facebook members on their sites.

As eager as advertisers are to tap into the rich trove of information that people freely offer about themselves on sites like Facebook and MySpace.com, there are nevertheless growing concerns about the privacy issues raised by such tactics. Facebook’s announcement yesterday came just a few days after a Federal Trade Commission hearing in Washington about online privacy and customized ads. The F.T.C. expressed concern that advertisers may have access to too much information about people’s online activities.

Facebook says it is using only information that its members choose to share. And, while the site is using the information on behalf of advertisers, Facebook is not giving it to marketers, said Chris Kelly, Facebook’s chief privacy officer.

According to a post by Saul Hansel in the NY Times blog, Bits:

These ads will be all the more powerful because the ad will be tied to an explicit endorsement of the advertiser by your friend. “Suzy is a fan of Verizon Wireless.” Or “Billy just entered the Pepsi Challenge.”

But Facebook has also made what could be a critical mistake: It is not asking its users whether they want to star in advertisements for the products they use. . . .

Mr. Kelly went further and argued that users shouldn’t have any reason to complain. The new ads only kick in if users choose to share information about their product choices. And in any case that information is only sent to their friends.

I think that’s rather insensitive. To some users, it may be fine to say “I like Red Bull” but not fine to have their pictures appended to a Red Bull ad. There are cases where you like the product but don’t like its ads.

What is deemed to be valid consent to appear in the ads? It seems as though Facebook might be assuming that if a person talks about a product, then he or she consents to being used in an advertisement for it. But such an assumption might be wrong, and the use of a person's name or image in an advertisement without that person's consent might constitute a violation of the appropriation of name or likeness tort.

According to the Restatement (Second) of Torts § 652C: "One who appropriates to his own use or benefit the name or likeness of another is subject to liability to the other for invasion of his privacy."

To avoid violating this tort, Facebook should first ask a user, before using her name or likeness, for permission to do so in an advertisement. Otherwise, the user might have an appropriation