158 comments

[ 5.8 ms ] story [ 199 ms ] thread
So, when Facebook asked for our email account credentials so that it could scrape our address books, that would also count as "criminal trespass"?

Breathtaking hypocrisy.

Well it depends if googlemail et al disallow automating access in their terms (I don't believe they do).

Clearly very douchey thought.

Incidentally, I joined Facebook in maybe February or March this year, and typed in my GMail -address when registering.

Right away I was presented with suggestions for people on Facebook that I might know, and they were obviously scraped from my GMail account.

So, as far as I could tell, Facebook got access to my GMail account without ever asking me anything about it.

Another reason this could happen: Your friends have allowed facebook to scan their accounts and facebook remembered that your friend sent you an email before to the address you're now using to sign up. No scanning of your account required.

I'm pretty sure they do save email data of non registered "users" because I was invited to facebook a few times. There was nothing strange on the first invite, but every consecutive invite had other additional friends of mine, who are too "waiting for me" to join.

Sorry for not noticing your reply sooner!

Actually the one who invited me and "caused" me to join was someone I didn't really know, but met once at an event. This person was extremely unlikely to be friends with any of my real friends.

But still, I got suggestions for my actual friends right away, so I still can't see any other way than for Facebook to actually have had access to my GMail account prior to me joining.

Considering that Facebook has asked for my email username and password in order to scrape the contacts from my email, this seems hypocritical. So, it's ok for Facebook to scrape data from other sites since that's data going into Facebook (per the user's wishes), but it isn't ok for other sites to scrape Facebook data (per the user's wishes).
I thought everything Zuckerberg ever built was based on scraping other peoples' data. Even now, didn't they pull info from Wikipedia for their pages about your interests?
That's not against Wikipedia's ToS.
Ok, I've never read their terms of service, until now. I'm guessing they have provided credit to the actual authors with a link to the original article and included a licensing notice? (not on Facebook)
Yes, they do link the the Wikipedia article, authors page and the Wikipedia front page.
Wikipedia's Terms of Use basically just guide you to act in a manner compatible with the Creative Commons Attribution / Share-Alike license, as well as the earlier GFDL license. (I am not a lawyer, probably there are significant additions, that's just my take on it).

http://wikimediafoundation.org/wiki/Terms_of_Use

Facebook could have scraped Wikipedia without asking, but as it happens, there is an agreement in place. I happen to work at the WMF, but don't ask me for more details, I'm not that privy to them.

This thread might help.

http://www.gossamer-threads.com/lists/wiki/foundation/194087

Interesting. The thread certainly makes it seem like it will be mutually beneficial. Maybe Facebook is a little less evil than I think, considering they gave a heads up.
Does Gmail's ToS forbid them from doing this? It would have to in order for it to be hypocritical. (it seems an important part of their argument.)

Their argument is B.S., of course, but I'm peevish about throwing that word around carelessly.

5.3 ... You specifically agree not to access (or attempt to access) any of the Services through any automated means (including use of scripts or web crawlers) and shall ensure that you comply with the instructions set out in any robots.txt file present on the Services.
Interesting. I wonder if this clause was in the GMail ToS when FB started doing this.

The Contacts API (which FB probably uses today) has different terms, and appears to not conflict with this usage.

So we would need to piece together a timeline. Probably not worth the effort.

Yeah, that effort could be put to something more productive :)

...I should get back to work.

A while ago I did look into this. I can't remember what the situation was with Gmail at the time but I'm fairly sure that hotmail had a similar clause in their ToS whilst Facebook was actively enabling scraping.
...and this is why terms of services are so ridiculous to the point where they have practically no meaning anymore.

Isn't it automated when the Gmail extension to Chrome tells me how many new messages I have, without me logging into gmail.com?

Isn't it automated when emails to my Gmail account are synced automatically to my (non-Google) smartphone?

First, full quote [1]:

5.3 You agree not to access (or attempt to access) any of the Services by any means other than through the interface that is provided by Google, unless you have been specifically allowed to do so in a separate agreement with Google. You specifically agree not to access (or attempt to access) any of the Services through any automated means (including use of scripts or web crawlers) and shall ensure that you comply with the instructions set out in any robots.txt file present on the Services.

Second, I imagine both of your examples use some for of API [2], which is clearly "the interface that is provided by Google". On the other hand, if your smartphone were to log into the GMail web-app pretending to be someone using a browser and scrape the HTML, it would, most likely, constitute a violation.

1. http://www.google.com/accounts/TOS

2. http://code.google.com/apis/gmail/

Yeah, I snipped the first line because I didn't think it applied to Facebook harvesting emails (they asked for your password). Sorry if it was misleading.
I'm willing to bet Google isn't going to sue itself.
(comment deleted)
The scary part is the court may agree.

Recently there was a case ( MDY industries vs Blizzard ) in which they argued that because MDY broke the EULA for Blizzard's software, they were no longer authorized to use the software, and in such- copyright infringers. The judge agreed. ( its now on appeal )

That's different. It was a civil issue. This is where facebook is trying to make it criminal.
I know its different. I was referencing a previous case that held that disobeying EULA terms can have farther reaching claws than simply breach of contract.
THE FACEBOOK RAPE POLICE IS GOING TO ARREST YOU FOR POKING TOO MANY GIRLS WITHOUT GETTING POKED BACK
Geez facebook. Bye forever. Account not just deactivated, but deleted.
That is quite possibly the least effective means of protest I can imagine.
I'm dragging others with me. It's the least I could do.
I posted on FB about my ambivalence about all the changes. I got quite a bit of attention to that post. I've decided that what I'm going to do is not deactivate, but scrub my profile and only post through reflector services (Buzz/Twitter).
How?

I can imagine less effective scenarios. 1) Not changing your life at all. 2) Not touching your Facebook page again. 3) Dressing up in a chicken suit and dancing around a major intersection. etc.

If you delete your Facebook page, it's one less user that Facebook can claim to have; if enough people do it, it could put a dent (however minor) in their bottom line.

As with any sort of vote, it's not your vote (or account deletion) that matters, it's the number of votes you convince people to make. It just seems odd to me when people trumpet insignificant actions when they clearly won't make a difference. If you want Facebook to change their policies, you're going to have to do more than delete your account.
He did do more. He deleted his account, and told everyone on HN he had.
That's a good point, but most people on HN are well aware of the arguments for deleting one's Facebook profile. Persuasion also didn't seem to be the intent of his comment, but I could be wrong.
There is a significant effect from account deletion. You are removing some of the motivation of your friends to interact with the web site. My account deletion had a significant effect within my social group, as I was a moderately heavy user. When I left, the "pull" from my comments and interactions ceased, and peoples usages of the site decreased considerably. (Confirmed via my girlfriends account, which lives in a very similar part of the social graph).
Every vote counts. What the masses lack in influence, they make up with in numbers... unless you discourage them with comments like yours.
That's my point. There are no masses. You have to create masses if you want things to change.
There are masses. If everyone starts doing it, other people will jump on. Most people value their privacy, they just need a bandwagon to jump on to.
I think we're agreeing with each other.
No we aren't. A bandwagon isn't always started by 1 influential person.
Every vote counts is a huge lie, perpetrated by those that govern, to make us feel that we actually have a say in the government. So we don't actually try to do something.

And you are not a mass, you are one person. And if your friends are anything like mine, you are not going to convince them to leave. Most people are happy to give up a little privacy, for the ease of keeping in touch with their friends that FB offers.

FB has a critical mass, so it is not as easy as suggesting an alternative.

I think you're missing that point. By saying, "You're a single person, you cannot affect change," you are discouraging everyone that would have (in this case) deleted their Facebook account. What if the number of people independently inspired by such an article is enough to make a minor dent in Facebook's bottom line? But they won't do that because of the constant beating of the, "Your vote is just a single vote and cannot matter" mantra.

Sure, convincing a group of people to delete their Facebook accounts is better than just deleting your own, but discouraging people en masse from enacting simple changes also discourages emergent behaviours in the crowd before they even start.

And it always seems odd to me when people berate these "insignificant" actions even though they are a step in the direction many would like to go. Change doesn't happen over night.
The reason they berate them is that people frequently say "If everyone does a little, we'll get a lot done.", and then do a little and stop, congratulating themselves about what they've done. In order to affect real change, a lot of people need to do a lot.

Focusing on and performing little actions distracts from doing the the big things that actually make a noticeable difference.

I don't care if they change or not. Get rich, I'm happy for them. Mean time I've deleted all my data (except that part of my data that they don't allow me to delete). I'm slowly deciding whether I'm going to (attempt to) delete my account. Not because I want them to change, but because I'm really irritated at having to review my privacy settings multiple times a year. At some point they're going to make a change that I'll miss.

As people (and I) have said over and over, don't put anything on the net that you don't want to be public.

Well, I haven't put my mother's maiden name up. But the more information about me that's up, the more connections are possible, until someone derives my mother's maiden name (or some other security question). Remember, we don't always get to choose a security question, that's relatively new. Banks, credit agencies, phone company, someone has something about you that's derivable.

Like I said, I don't care if FB changes or not, that's not necessary for me to want to leave, or at least diminish my presence.

That assumes that facebook really destroys your account and reduces their member count by one. If google said they do that, I'd believe them. I wouldn't believe FB on that point at this point in time.
I beg to differ. It's exactly the thing to do. Our only option is to vote with our proverbial wallets, and in Facebook's case that means leaving the site entirely, and not just deactivating, but DELETING, Facebook accounts, and encouraging others to do the same.

How To Delete Your Facebook Account: http://www.facebook.com/group.php?gid=16929680703

Believe it or not, there is a social web beyond Facebook.

Not if you back it up with a donation to the EFF. I just gave them a few coins. Seems like the best value:effort ratio for affecting the outcome of this case.
It's also the easiest, and after I refuse to play their game, what do I care?

Well, actually, as Lauren Weinstein pointed out, the political reaction to Mark Zuckerberg and Facebook's attitude towards privacy and the usual likely overreaction might hurt all Web 2.0 players, good and bad:

"He appears to be unapologetically reveling in taking advantage of many Facebook users' naivete about privacy risks, and shows no signs of backing down."

http://www.nnsquad.org/archives/nnsquad/msg03450.html

So I do have a greater stake in this, but there's not a whole lot that I see that I can do. That won't be true for others of course.

According to the corollary of Metcalfe's law it is actually very effective.

I think it would read something like "The value of a communications network decreases with the square of the amount of people that have left it".

Can we please stop calling Metcalfe's "law" a law?

It makes the exceedingly questionable assumption that we value all possible connections equally. Many different approaches to quantifying the value of networks converge on the much more reasonable estimate that value tends towards n log(n) rather than n*n.

See http://spectrum.ieee.org/computing/networks/metcalfes-law-is... for more.

Nice writing! Ok, we'll call it 'Tillys anything but a law' in stead ;)

I think everybody realizes that Metcalfe's law is not a 'law' in the sense that it is a given or an absolute, any of those - including Moores law and others like it are to be taken with a grain of salt.

The practical upshot of all this is that if the value of a network goes up with a non-linear factor when the number of participants increases the reverse also holds true. What we call it doesn't really matter and Metcalfe's law will do as good as any other shorthand description that will convey the point.

Thanks for the interesting read by the way, it's nice to see that even if Metcalfe was maybe wrong in the 'absolute' in principle the concept of non-linear value increase seems to hold true.

Non-linear is absolutely true. But the non-linearity is not nearly as strong as a lot of dot com business models assumed.

In an interesting twist, Metcalfe's law comes closest to being true in mediums where existing social relations are less important. For instance eBay is a classic example. If I want to sell, I really do value the network at the size of said network because I have no idea who wants to buy from me. Which is one reason why it is so hard to compete with eBay. (Despite how badly they mess up.)

This is all extremely interesting, especially the fact that you've been able to narrow down the 'range' of possible values by some real world analysis.

So, if I understand your piece correctly the value of the power changes over time depending on the size of the network and the available pool, in other words even the log(n) factor is not exact, in the beginning it is probably closer the to the original n^2, whereas later on it moves to more sedate territory, but it always seems to be higher than the '1' added by attaching another node to the network.

The 'competing with ebay' has a nice counterpart. In the netherlands there was a small local site called 'marktplaats' that had entrenched itself in the early days of the web, and nothing ebay did to dislodge it worked, so they ended up buying it.

The kicker is that 'hyves' (the dutch counterpart to facebook) is losing ground because people have a lot of international connections to friends and family, but trade seems to be limited to geographic boundaries and hence marktplaats succeeded where hyves is in trouble.

The Netherlands examples are interesting.

In the piece I quoted, it isn't that value scales like nn then like n log(n). The argument is that value scales like n log(n), which for small n looks more like nn than it does for large n. That said the argument given implicitly assumes that most of the people in the network have most of the people they really care about in the network as well. This assumption is less likely to be true for small networks than large ones.

It didn't make it into the paper, but an interesting optical illusion was discussed while we were writing it. Most of us judge the ubiquity of a network according to how many people we personally know who use it. Therefore people's value from belonging to a network tends to scale linearly with the size they perceive that network as having. (A typical American neither perceives nor values the growth of that network in China.) Which means that each individual observes what Bob Metcalfe did when he came up with his rule of thumb. We found that interesting, but left it out of the paper.

Another discussion we had was on different networks that scale differently. The two extremes we came up with are the telegraph networks and eBay. In the case of the telegraph network there is an asymmetry between senders and receivers. It is easy to make every resident of a major US city a potential receiver, at which point the network value scales linearly with the number of senders. And at the opposite end, auctions scale in a less approximately linear fashion. However we decided against including that because we didn't have detailed enough data to support our preliminary conclusions.

Also you should note that the IEE Spectrum article is an abridged form of http://www.dtc.umn.edu/~odlyzko/doc/metcalfe.pdf. The full version offers several different lines of reasoning that all converge on n log(n) scaling rules.

I agree with the EFF 100% in the article. But it's not always so clear.

What if I agree to developer Terms of Service that say I can't disseminate users' information, then publish a Identity Theft Target List with information pulled from the Facebook API?

Seems like that should be a criminal violation, even though I "only" violated a TOS.

What's an "Identity Theft Target List"? A list of information about people to make identity theft easier? In that case, publishing a list like that should be the crime (if it isn't already), not the TOS violation that got you the data.
Not necessarily. If it's public information that I could obtain by visiting their page, I can't get in trouble for collating it and publishing it.

Having access to Facebook's API makes it practical to scrape massive amounts of data, however.

If the data are public already, you're not really changing much by gathering them in one place. More important is the case of private data that are gathered by having a user enter their credentials. Using the private data in a way to which the user expressly agrees, regardless of TOS, should be legal. The problem arises when the data are used in a way counter to the user's wishes: like pretending to offer social network aggregation and instead publishing it without consent. That should probably be illegal.

I agree that it's not so clear-cut. Like a lot of legal matters, intent is also relevant, in addition to the actual effect.

I could see specific kinds of agreement violations being legally enforceable, but it seems safer if it was "opt-in" on the government's part which kinds of agreements can be enforceable that way, as opposed to letting anyone who writes a TOS be able to invent arbitrary new criminal offenses on the fly.

For example, there could be a law saying that anyone who disseminates information they agreed to keep private is guilty of an offense. That would make certain kinds of TOS related to information confidentiality legally enforceable. Of course, Facebook might then themselves be guilty of that offense with their retroactive privacy-policy changes...

I don't think your list would be substantially different from a phone book.
The way Facebook is going, and with how many people absolutely fail to understand what security settings it does provide, it'd be pretty easy to cull a list of all residences in the past 5 years, city of birth, mother's maiden name, favorite band, favorite pet, first boyfriend's name, and a decent photo.
That sounds like a case for educating people better about privacy settings and the threat of identity theft, not for getting the law involved. If people publish something online that they probably shouldn't, it's hard to protect them from themselves without a lot of unintended consequences.
You should do it!

Remember that Palin's Yahoo! mail account was hacked because someone figured out the answer to her security questions. Security questions are a dumb idea. Send me a fucking SecureID...

Would the impact of such a list really outweigh the risk of aiding and abetting identity theft?

There's probably way to accomplish the same effect without making the aggregated data public. Maybe sharing the results with some news outlet?

We need about 100 programmers to go out right now and start writing code that allows users to download and update information from their Facebook social graph. Let them fight a hundred legal battles instead of just one.

I've seen this coming for some time. There is going to be a war over who owns the data about each person, the person themselves or some service provider. I know that legally the service provider owns it, but I'm not thinking that is the way most people see it. This is a case where the law has gotten very far out of sync with the public (and with the first principles of natural law and personal property, but that's a discussion for another time)

European law may have a different attitude to "who own the person's data".
> I know that legally the service provider owns it, but I'm not thinking that is the way most people see it.

That's not the way most member states of the EU see it either, they have ruled very clearly that the user owns the data and has the right to access it, amend it and ask for it to be removed at any time.

>We need about 100 programmers to go out right now and start writing code that allows users to download and update information from their Facebook social graph.

Why stop there? They could go on and create a sort of alt-Facebook.

Let's call it, oh I dunno, "MySpace.com". Oops, just tried it and some squatter has it. Drat!
The EFF brief in this case states at page 7 that "Facebook users own the information they store with the company" and that Facebook's "terms of service confirm this and it is not subject to dispute here." (citing Facebook's Statement of Rights and Responsibilities sec. 2, http://www.facebook.com/facebook?ref=pf#!/terms.php?ref=pf).

That said, your basic point still stands because the issue is one of who gets to control the data about each person. In effect, Facebook has tried to trap the data for its own exclusive use through its terms of service, even while confirming that technical ownership lies with the user.

Some highlights from the EFF brief that bring out some of the tension on these issues:

1. FB is really trying to apply a heavy hand against third parties such as Power Ventures who have the temerity to supply tools that allow users to gain more control over their own data and how they use it. Section 502(c) of the California Penal Code criminalizes unauthorized access to network data (among other things) whenever someone "knowingly accesses and without permission" does certain things with such data (including if someone merely "accesses or causes to be accessed" such data). The major 502(c) precedent of a thirty party getting busted by Facebook itself is the case of ConnectU, which had been sued by FB for scraping email addresses of non-ConnectU customers from the FB site and then spamming them. In that case, the access violated Facebook's terms of service and ConnectU was found liable. However, ConnectU had accessed the information from FB users who had not given it permission to gain that access. ConnectU had argued that it did not violate 502(c) because the users had made their email addresses available to FB and that it thus did not engage in unauthorized access in violation of the statute. The court disagreed, finding that the FB users could disclose their email addresses for "selective purposes" only without giving third parties broad rights of access to them. Given this precedent, FB is claiming that Power Ventures is similarly liable for gaining access to FB user data in violation of FB terms of service. Thus, the key distinction by which EFF seeks to distinguish the precedent is by saying that, here, the users not only own the data but also give their permission to Power Ventures to access it. EFF further argues that any violation of FB terms by Power Ventures or by users might be grounds for civil liability but is irrelevant to the question of whether a criminal act has been committed by such access because the only time this would amount to a crime is when a user's rights are violated by someone who hacks into their data without their permission. Therefore, "[w]hen a person is authorized to access certain information . . ., mere use of an unapproved technology to access that information cannot constitute a criminal act under California Penal Code section 502(c)." (Brief at p. 10) The EFF brief (submitted as an "amicus" or friend-of-the-court brief) is compelling on this point and makes FB's position look pretty laughable - I think the court will side with Power Ventures on this one.

2. FB has already won a round in this fight with Power Ventures by getting a related ruling to the effect that the FB terms of service effectively deny users the right to authorize circumvention of FB's technological protection measures for purposes of copyright circumvention. In other words, even though users might authorize a third party to have access to their information, FB can block such access on at least one important ground via its TOS (thus trapping the data for its exclusive use).

3. In February 2009 Facebook tried to modify its terms of service to give FB the right to continue to use content indefinitely, even if a user tried to delete it or even quit the service. This created a firestorm and FB dropped this effort. This was not for legal reasons but for practical ones - it could not afford to alie...

I agree, grellas, and although I use the word "war" with some concern, in this case I believe this is truly an economic and personal property conflict which is already politically intense and threatens to continue escalating.

The theory is this: are computers, programs, and data pieces of external property that can be manipulated in a traditional manner by the courts? Or are they extensions of the individual's mind? I think the law views it as the former, but I think the citizenry is more and more viewing it as the latter. And no amount of precedence or legal force is going to change that. Sometimes the law IS an ass. You can have all the Facebook Dred Scott cases you want, and it's only going to make matters worse.

I have been standing by mostly idle as this developed, but I more and more feel compelled to act -- protest, write letters, petition, sue, etc. That's unusual for me, as I am not an activist by any means.

Lately Facebook seem all to happy to trade the goodwill and trust of their users for control and monetization over their data.

It's getting a little creepy.

I agree, but the prevalence of FB on the HN front page is a little suspect. There have been at least 10 negative FB posts on HN in the past couple days. I think someone's got an axe to grind...
That someone is "people" and the axe they have to grind is "stop trolling the personal data you unscrupulously collected from us in the first place by hoodwinking us into thinking you actually MEANT the meaningless drivel in your privacy policy."
I've not fully kept up with all the stories recently (been busy, I have a pretty open FB account anyway etc..) but as far as I was aware the only really problematic thing (from a privacy perspective) was the new favourites/likes etc. thing where certain things can appear on the "fan" page without you really realising.

I wasn't aware of anything else specific that was bending the privacy policy to the limit? Anyone care to fill me in on the TL;DR version?

(the social graph, as far as I saw, obeys your privacy settings)

Selling all your details to advertisers.

Constantly changing what is private and what is public.

Getting upset at someone using the data that they provide to the public for research purposes.

There is more.

"Selling all your details to advertisers."

Simply, no. There is no check you can write to facebook to in order to get a particular facebook user's, or set of users', information.

Nope, they give it out for free via the graph API.
(comment deleted)
I'm not following Facebook closely either, but two things I'm aware of:

- 3rd parties (app developers, Facebook Connect users, etc.) no longer have a 24hr limit on storing user data

- Open Graph basically means your Facebook info has the potential to be plastered all over the web if you're browsing without being logged out of Facebook

(comment deleted)
They wouldn't be on the front page if it weren't for all the upvotes.
Apparently not. There are no suspicious patterns in the voting on those stories.
It happens. Facebook have made a few idiotic decisions recently and it's their turn for the [legitimate] disgruntlement (remember Google were getting it much the same).

There will be a plenty of both sensible and silly articles targeting Facebook.

Thanks, that is all I meant. People should just take this current wave of FB stories with a grain of salt.
What a nonsense.

Facebook is acting, people are re-acting. It's only natural that facebook should come under some scrutiny, for one they're huge, secondly they behave like a bull in a china shop with respect to other peoples privacy.

You've been a HN member for all of three months and 10 days, I think it is a little early to start accusing people here of being in some kind of conspiracy against facebook.

There also is no conspiracy against apple, google, microsoft or any other big name company or website.

You got us. This article upvote has been sponsored by MySpace.com
Yikes, fellas. I wasn't trying to accuse anyone of a conspiracy. I just meant that current wave of negative FB stories in the past week seems out of proportion to the degree to which they have changed anything (privacy-related or otherwise) during that time period. The FB-bashing has become fashionable.
Trust me, creepy is not the word.
They were inevitably headed in that direction. There is no other way to justify their sky-high valuation without exploiting private information.
I'd go farther and guess (guess) that major investors have said something like "well, we invested all this money, now we want major returns." What we've seen would then be reaction to that.

And if you're a FB employee, no disrespect to you. If nothing in these posts are true, consider then what FB might be doing wrong so that these kinds of reactions can fester.

Remember that facebooks' customers are not the users, they are the advertisers.
I'm sure that's the way they see it. A company with more foresight would realize that its users are its lifeblood.
I'm sure that Facebook looks on it's users much the way that Archer-Daniels-Midland looks upon soybeans, to be fed and watered and destined for harvesting.
Correct me if I am wrong, this seems like a far leap from what the law was intended to do. The ruling would mean good for Facebook and bad for our society.
Time to start donating to the EFF. They seem to be the only ones looking out for our rights online... They've surprisingly been on the ball, consistently, when these organizations (especially Facebook), do potentially dangerous things with regards to the separation of civil and criminal, to outright privacy violations.
I bought a keychain from them when RMS visited KL. :)
With all this talk about deleting facebook accounts, has anyone ever considered if it might be more effective to get an account banned? You could spam a bunch of people until you get your account permanently banned, I would think that banned accounts eventually get deleted.
How would it be more effective? I can only see it being more annoying for the people you spam.
You could spam a bunch of people until you get your account permanently banned, I would think that banned accounts eventually get deleted.

To the contrary, if Facebook is advised by competent lawyers, I would expect them to make banned accounts invisible to the public but to keep them in their business records indefinitely.

> Facebook claims that Power's tool violates criminal law because Facebook's terms of service ban users from accessing their information through "automatic means."

So what is the point of the Open Graph then? Doesn't that allow me to access my information through automatic means or am I misunderstanding something?

Having just seen this in some boilerplate terms of use, the phrasing almost always includes the phrase "without our express written consent." Which (assuming they have this clause) they can selectively enforce it.
It appears they want Open Graph to be used in response to user actions that are explicit and specific to Facebook, rather than behind-the-scenes aggregation or polling of any sort that keeps your data in sync with other services. Quite a fine line.
Hmmm, so anything goes as long as people still have to go to Facebook.com to get their updates.
Let's take a small step back here; just like the anti-Google sentiment that was about a few months back it seems is Facebooks turn to face the fire (mostly their fault).

A lot of what they are doing is, at best, ethically unsound or, at worst, privacy invading. In this case I'd say (from initial reading) it sits on the scale slap bang in the middle of "a douchebag thing to do".

But. It doesn't feel hypocritical because their argument is that their ToS attempt to deny users the right to access their accounts this way. The Email services, as far as I am aware, that FB scrape either explicitly allow or do not disallow such action. It seems "axe grinding" to bring that into the discussion.

Notably this article does not appear to discuss or link to articles about the suit Facebook has filed [meta point: I hate that, it feels sneaky]. It appears (from research) that it is an long running dispute between Power and Facebook. They have also filed Trademark infringements and other stuff against them at the same time (no comment on the general legitimacy of such claims for the moment).

I haven't fully digested all the information to have a complete opinion on this but... I think that this is part of Facebook trying to win the wider battle with Power.com, I'm not sure it reflects a deliberate move by them to try and turn ToS violations into criminal violations. However I am definitely in agreement with the EFF that if a potential side effect of any eventual ruling will bring in such criminal elements then it is a bad thing and should be fought. Hopefully when I can actually open all the PDF filings the picture will be clearer :)

References (I believe this is the suit being referred to):

http://www.niallkennedy.com/blog/2009/01/facebook-vs-power-v...

http://jolt.law.harvard.edu/digest/9th-circuit/facebook-inc-...

http://en.wikipedia.org/wiki/Facebook,_Inc._v._Power_Venture....

EDIT: amusingly TechCrunch seems to have the best summary of things from last year... http://techcrunch.com/2009/07/09/powercom-countersues-facebo...

I find in a surprising number of instances today's hacker news is tomorrows mainstream news. If the tech blogs are buzzing with this story today you will often find this as a side story on mainstream news sites (the bbc etc) tomorrow.

This will get facebooks attention.

I doubt they will do it full justice - there is over a years legal dispute in the background of this.

What the EFF are worried about (I've read their submission but the original FB brief is downloading reaaaaly slowly) is that where Facebook are claiming Power have committed a criminal offence in ignoring a cease and desist and accessing peoples accounts (apparently contrary to the ToS) the extension that could come from a favourable ruling is that individuals may be breaking criminal laws too (Cal sec 502(c) in particular).

Clearly that is silly and the EFF are asking the courts to see that.

Agreement between private parties != legislation.

Why is this simple notion mentioned nowhere in the EFF letter?

As much as I hate the idea of defending FB, the article clearly mentions California computer crime law, which is legislated, as part of FB's argument.

The EFF lawyer knows this, and that's why your inequality wasn't mentioned.

I know we have several HN users who work at facebook. Do they:

1. Not care?

2. Not see this happening?

3. Not see anything wrong?

4. Can't do anything?

5. Know the "truth," which is substantially different than that being reported?

It seems like one of these ought to be true, and at least in the case of (1-3) should be able to report as much to us.

1) they probably do

2) they probably do

3) they probably do

4) that's probably it

5) or even worse!

Likely their influence is limited and if they don't toe the company line they'll be 'between jobs' next week or so.

Speaking out in public against company policy can get your ass canned in some companies pretty quickly.

And some do speak up:

http://www.securecomputing.net.au/News/164539,facebook-emplo...

If I were working at Facebook this would be the time I would quit. In these times of almost endless opportunities not being able to be working socially responsible while still creating value plus being my own woman/man seems somehow anachronistic to me.
> In these times of almost endless opportunities

I think that you forgot to suffix that with "for developers in Silicon Valley." With the high unemployment rates, I presume there are a lot of people that don't have the luxury of tossing a job due to moral/ethical dilemmas.

Turns out the people in question _are_ developers in Silicon Valley, and I'm pretty confident a Facebook engineer could get another job in the valley if he/she wanted.
A lot of facebookers have a lot of vesting to do though...
I'm going to work at Facebook soon, and I'm paying very close attention to what's going on. I'm looking forward to seeing the other side of the story as it were.
Of course we're here. However, this is an active legal issue, and commenting publicly on it can only hurt.
Fair enough.

But I implore all of you at facebook to make your feelings known to your higher-ups (if you feel, like many of the rest of us on HN, that something bad's happening).

These kind of decisions generally only go in one direction, and only early-on can they be stopped.

If I was considering hiring an employee with Facebook on their resume, I'd definitely ask their opinion on these matters. If they didn't see a problem with them they aren't working with me. If they did see a problem and didn't do anything about it, I'd weight that pretty heavily against them.
What if they said "That's why I'm here."?
"Legal Director Cindy Cohn: "If Facebook's legal argument is upheld, it will hobble companies that enable consumer choice, as well a create a massive expansion in the scope of California criminal law.' "

Or: it will further open up a toehold for new startups to develop alternatives to Facebook - alternatives that treat their user communities better.

The trouble is that alternate networks to Facebook need a certain critical mass in order to succeed
So what's a viable strategy for complaint? People are used to ignoring EULA's and TOS by now. They just want to use Facebook, comment on photos, join groups, play games and keep in touch with friends and family. They don't see this kind of thing as a violation. As long as they're accessing their information on www.facebook.com (accessed by a Google search), why would this worry Joe Average User? Some will see it as a good thing, as it would be effectively illegal for anyone to aggregate their information outside of Facebook. Most of the people I quiz about Facebook don't know who Mark Zuckerburg is, much less care what he does with their data. What worries me is that the route to the escape hatch is buried ever deeper with each reincarnation of the interface and the privacy settings are more complex and time consuming than configuring a robust PF firewall. I'm also considering switching my marital status from single to married just so that I can see ads that don't have anything to do with hook up sites. I would consider an insider protest, where I splash privacy concerns on my wall in my friend's news feed, but they all know where the hide button is. A more interesting approach would be targeting friend's data from outside the site, building a profile and using it nefariously as an object lesson. I fear though that the net result would be a response along the lines of: "This is why Facebook are making this kind of thing illegal". Ultimately, I think you're forced to vote with the delete button. 400-million people who consider E! Entertainment an educational documentary channel really don't give a hoot. Given the vast amount of government and corporate meddling that they already ignore, this is simply one more thing to add to the pile. I do care about it, I support the EFF with a monthly debit order and I talk to people about the concerns. Many just don't see Facebook's actions as an issue.
Some day... that federated social networking channel will sprout up... and each person can host their own identity and friends and silly wall posts on the home workstation. Then we can forget about all the ad spam corporations attempting to jack our shxt.
This BTW would be the ultimate form of rebellion ...
Who would own/host a conversation between you and friend X, you or X? Who would have the right to "delete" it? The point of a social graph is that all the useful information exists on the edges, not at the vertices.
Sure, but if you think about it, you can host yourself as a vertice with all these incoming / outgoing / directed or not associations and any available number of key/value stores or open graphs for shared data, which could be negotiated as needed. Services might crop up to provide this. It doesn't have to be all users under 1 roof for the entire internet.
And this fB open graph nonsense ... you'd have your own property sheet(s) of namespaced attributes (or semantic triples) and websites can negotiate with you for access. Ultimately no corporation would be able to dictate how your data store can be used. Legally it would be your own data domain from the ground up. Checkout VRM ...
The same person that own and/or host your email to that person: namely, you and they, and the providers you choose (which may be yourselves).
I think a lot of the reason people like posting on someone's wall on Facebook, as opposed to mailing them, is that they truly can take back a wall post after it has been submitted and delivered. This is only possible with a "benevolent messenger," an authority between you and the other party that can be biased in your interest. People don't like truly impartial records, although they like to look like they do.
Who owns email? Nobody.
Isn't that called "having a blog"?
I thought about a p2p social networking where each person can host their own data (like you mentioned). Then I checked out Opera Unite. The concept and possibilities are neat. But in practice they ended up way too slow. Maybe in the near future, we can have that.
Shame on you, Facebook.
“After discussing the issues with Power.com for about a month without reaching a resolution, we filed a lawsuit to enforce our terms of service, maintain the integrity of our site and to assure our users’ privacy and security are protected,” said Barry Schnitt, a Facebook spokesman.

What ?? source http://bits.blogs.nytimes.com/2009/01/02/facebook-sues-power...

Facebook is pretty evil.
This is interesting I guess as I've been considering scraping pieces of Facebook recently. They are crazy.
Given that privacy policies and TOS change on most websites, is there any merit to a 'bait and switch' argument or anything like that?

I remember a recent commenter suggesting there was but didn't see any follow up.

Conceptually, there is no contract between FB and its users. It's use at your own will; essentially a one-way deal and therefore cannot be a contract. That said, knowing they monetize our content, can argument be made that our content is 'consideration' and therefore a contract is implied?